SSL security - a fundamentally broken model

probe

Moxy Marlinspike gave a presentation at Black Hat on how to do a man in the middle attack against “secure” browser connections. Using the vulnerability at a WiFi hotspot “during a 24-hour period of time, he intercepted 114 logins to Yahoo.com, 50 logins to Gmail, 42 to Ticketmaster.com, 14 to RapidShare.com, 13 to Hotmail, nine to PayPal, nine to LinkedIn, three to Facebook. And so in that 24-hour period he captured 117 separate email account logons; 16 credit card numbers along with all of the subsidiary, you know, expiration date and security code and everything, users' names, passwords, everything required to use those cards; nine secure PayPal logins; and over 300 other miscellaneous secure logins, using the technique.”

I was in a hotel room recently, and clicked on “Network” on my PC menu, and about a dozen other guest’s PCs came up, as is typical. I was looking to see if someone I was meeting had checked into their room, and didn’t know the room number he would be assigned – so the simplest way to verify his presence was to see if he was using the net. I came across an idiot’s PC in my search. He did not appear to be using a user ID and password on his machine. Even worse, he had a public folder called “ID Docs” or something similar – right up top (one didn’t have to go digging). Inside the folder he had copies of his and his partner’s passports, drivers licenses, bank statements, utility bills, card bills, copies of his visa and mastercards (both sides). etc etc. Everything one needs to steal his identity. They clearly don’t teach computer security basics at the school he went to!

Back to Moxy’s vulnerability, I invariably use a VPN connection when travelling – it doesn’t have to be wifi, Ethernet or even someone at an ISP or phone company can also do the Moxy trick to snoop on your https stuff.

The only way to prevent it under the current SSL/TLS set-up is to enter https://www.websitename.com and force a secure connection from the start of your activity on a website that you intend to provide personal information to. Unfortunately many websites dump one out of https and into http, without a warning or any regard for your security – because they couldn’t be bothered using ssl accelerators at their end to handle the extra computer processing cycles that https creates.

Steve did a show on the topic:

http://www.podtrac.com/pts/redirect.mp3/aolradio.podcast.aol.com/sn/SN-217.mp3

(If you are in a hurry, skip the first 32 minutes of the audio, as it deals with other matters).

[Leo is speaking at www.ted.com in Dubai this week, so the show is co-hosted by Alex Lindsay in his place. They flew Leo and wife, business class on Emirates, (the fare is about $10,000 each) from SFO to DXB to speak for 18 minutes at TED Dubai. Add to that the hotel bill at burjdubai.com, or similar. TED & Co must have deep pockets!]

probe

Perhaps I shouldn't be pointing this out - but you can download the software used by Moxy to strip the s from https:// as the packets travel over a wifi or ethernet connection within a router system here:

http://www.thoughtcrime.org/software/sslstrip/

The software also allows one to put an icon in the victim's browser with a nice golden padlock so he "knows" he has a secure connection!

I'm assuming that if you are the evil genius type who is motivated and capable of using this, you'll have been there and done that without my help. If you are responsible for corporate IT security one assumes that you have set-up all company PCs to use a VPN to the company network before any other net activity takes place.

And that none of your employees use an Irish cable TV internet connections with company PCs.

Black Swan

Is the TLS protocol (upgraded version) replacing the SSL protocol, because of these SSL vulnerabilities you have mentioned? See link: http://tools.ietf.org/html/rfc5246

probe

Blue_Lagoon wrote: »

Is the TLS protocol (upgraded version) replacing the SSL protocol, because of these SSL vulnerabilities you have mentioned? See link: http://tools.ietf.org/html/rfc5246

TLS doesn't fix this. The only way to fix this problem is for websites dealing with money and personal identity stuff to go https:// all the way. If you are doing online banking, you must start off with https://www.yourbank.com.

If they break the secure connection at any stage, you are at risk. Same for aerlingus.com, ryanair.com, and every other dot anythings that wants your identity or payment card details.

Your entire relationship with these websites from start to end must be over a secure connection. Failing this, the Moxy types (wherever they are along the internet connection from your machine to the server) will get a leg in, strip out the https from the page, and when you click on the "next" button, they own you and all the data you send over a "secure" connection for that transaction.

Anyone who goes to http://ecommerce-type-site-of-any-kind.com must be automatically redirected to https://ecommerce-type-site-of-any-kind.com. The responsibility is with the website rather than with the user. The security conscious user should avoid using websites that don't allow them to use https:// for their entire visit - and if they can't and suffer loss, sue the bank, hotel, airline, mail order company, or whoever that blocked their ability to connect securely.