Tuesday

So we're much safer with SSL on proxies, right ?

Ermm well wrong, I'm always going on about how insecure HTTP is but I'm afraid HTTPS and SSL isn't much better either. The Black Hat Conference at Washington revealed a rather neat tool called sslstrip.

An 'independent hacker' - (I love that phrase!) has apparently figured out how to fool both the website and the browser that a connection is encrypted whilst intercepting the unencrypted communications. He has created a tool to exploit this called SSL strip . The problem is the way SSL is implemented - have you ever wondered why we browse through lots of unencrypted pages building up to the secure page protected by SSL - I mean why not encrypt it all !

This is how the tool works it intercepts the communication when a HTTP site moves to HTTPS (probably when you're just about to hand over your account details and passwords) - sslstrip tricks the server andssl proxiesuser into thinking the connection is encrypted.

SO how does it do this - well basically it runs a proxy on the local network which actually contains a valid SSL certificate (which keeps the browser displaying HTTPS in the address bar)

Then it uses homographic techniques (errm I looked this up - basically exploits the way a url is displayed - uses lots of fake slash marks in the address) The page you are visiting is false but it looks like the correct https://secureserver.com in your address bar.
So everything looks great and super secure and the user types in all the login details on the secure web page - which is actually just a hackers proxy server on the local network. Apparently he tried it on a TOR host and extracted 254 password and user accounts in 24 hours !!!

I expect to see this tool be installed fairly rapidly on free anonymous proxies across the internet. If you are insane enough to carry on using them to do anything other than occasional browsing I'm afraid you'll regret it.

We won't be safe until everything is encrypted I'm afraid.

0 comments: