SSL Attacks

February 20th 2009 · Computing Security , Web , Dev Trends

Interesting post by Dan Kaminsky, a security researcher:

http://www.doxpara.com/?p=1269

It talks about SSL attacks and when/how they work. He bases his post off of work done by Moxie Marlinspike:

https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

What it boils down to:

  • You can create a man-in-the-middle (MITM) attack that strips SSL and authentication from network traffic and virtually no one will notice. This kind of attack requires you to be able to insert yourself into a corporate network, an ISP, etc. But users don’t normally look up and say, “Hey, isn’t this site supposed to be HTTPS?”.
  • You can still create fake URLs that look like legitimate sites: http://mybank.com/somestuff?the.piratedomain.cn. That URL is using characters that look like ‘/’ and ‘?’, but aren’t.

A company with an external site that needs to be secure has to invest in an extended validation (EV) certificate and has to educate their users to look for the tell-tale signs. Ray Bordogna and I did an internet strategy project with AIG and that was one of the first things we told them. The key to this is education.

Tags: Computing Security
Author:
Security in Computing, 4th Edition    The Little Book of Cloud Computing Security, 2012 Edition    Auditing Cloud Computing: A Security and Privacy Guide (Wiley Corporate F&A)    AWS Identity and Access Management (IAM) Using Temporary Security Credentials    Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance (Theory in Practice)   

Share:

  • email
  • Twitter
  • Facebook
  • Slashdot
  • LinkedIn
  • Digg
  • DZone
  • Reddit