Interesting post by Dan Kaminsky, a security researcher:

http://www.doxpara.com/?p=1269

It talks about SSL attacks and when/how they work. He bases his post off of work done by Moxie Marlinspike:

https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

What it boils down to:

  • You can create a man-in-the-middle (MITM) attack that strips SSL and authentication from network traffic and virtually no one will notice. This kind of attack requires you to be able to insert yourself into a corporate network, an ISP, etc. But users don’t normally look up and say, “Hey, isn’t this site supposed to be HTTPS?”.
  • You can still create fake URLs that look like legitimate sites: http://mybank.com/somestuff?the.piratedomain.cn. That URL is using characters that look like ‘/’ and ‘?’, but aren’t.

A company with an external site that needs to be secure has to invest in an extended validation (EV) certificate and has to educate their users to look for the tell-tale signs. Ray Bordogna and I did an internet strategy project with AIG and that was one of the first things we told them. The key to this is education.