There is SSLFail. I’ve talked about SSL before. Jay Beale has been presenting on similar issues. And now Moxie Marlinspike has given another eyebrow-raising talk at Black Hat about SSL and HTTPS attacks (pdf). It’s like SSL implementations aren’t being asked if they want a gut punch or a face punch, but rather just getting both. Some of his material is similar to what Beale does, and while I don’t care who was first, the fact that multiple people are pointing these out is noteworthy itself. Mubix tweeted (twitted? twatted? oh my) a link to the video preso.
SSLStrip is the tool he announced, but I don’t see it public yet. Moxie has other SSL tools, too. And I’m curious who still doesn’t set (CAs) or check (browsers) basicConstraints.
Bottomline: If you’re still not scared of SSL MITM attacks at your local hotspots, you need to be. In fact, any time you’re on a network you can’t trust, you need to exercise reservation in your actions.