Interesting post by Dan Kaminsky, a security researcher:

It talks about SSL attacks and when/how they work. He bases his post off of work done by Moxie Marlinspike:

What it boils down to:

  • You can create a man-in-the-middle (MITM) attack that strips SSL and authentication from network traffic and virtually no one will notice. This kind of attack requires you to be able to insert yourself into a corporate network, an ISP, etc. But users don’t normally look up and say, “Hey, isn’t this site supposed to be HTTPS?”.
  • You can still create fake URLs that look like legitimate sites: That URL is using characters that look like ‘/’ and ‘?’, but aren’t.

A company with an external site that needs to be secure has to invest in an extended validation (EV) certificate and has to educate their users to look for the tell-tale signs. Ray Bordogna and I did an internet strategy project with AIG and that was one of the first things we told them. The key to this is education.