Interesting post by Dan Kaminsky, a security researcher:
It talks about SSL attacks and when/how they work. He bases his post off of work done by Moxie Marlinspike:
What it boils down to:
- You can create a man-in-the-middle (MITM) attack that strips SSL and authentication from network traffic and virtually no one will notice. This kind of attack requires you to be able to insert yourself into a corporate network, an ISP, etc. But users don’t normally look up and say, “Hey, isn’t this site supposed to be HTTPS?”.
- You can still create fake URLs that look like legitimate sites: http://mybank.com/somestuff?the.piratedomain.cn. That URL is using characters that look like ‘/’ and ‘?’, but aren’t.
A company with an external site that needs to be secure has to invest in an extended validation (EV) certificate and has to educate their users to look for the tell-tale signs. Ray Bordogna and I did an internet strategy project with AIG and that was one of the first things we told them. The key to this is education.
Tags: Computing SecurityComputing Security