more attacks against ssl

There is SSLFail. I’ve talked about SSL before. Jay Beale has been presenting on similar issues. And now Moxie Marlinspike has given another eyebrow-raising talk at Black Hat about SSL and HTTPS attacks (pdf). It’s like SSL implementations aren’t being asked if they want a gut punch or a face punch, but rather just getting both. Some of his material is similar to what Beale does, and while I don’t care who was first, the fact that multiple people are pointing these out is noteworthy itself. Mubix tweeted (twitted? twatted? oh my) a link to the video preso.

SSLStrip is the tool he announced, but I don’t see it public yet. Moxie has other SSL tools, too. And I’m curious who still doesn’t set (CAs) or check (browsers) basicConstraints.

Bottomline: If you’re still not scared of SSL MITM attacks at your local hotspots, you need to be. In fact, any time you’re on a network you can’t trust, you need to exercise reservation in your actions.

2 thoughts on “more attacks against ssl

  1. Exercising reservation in your actions is a bit easier said than done. Run a packet capture using something like Network Miner or straight WireShark and just watch how much traffic your system does without any interaction from you. I noticed one time that I had a program auto-starting that did unencrypted http authentication, and it kept trying if it didn’t get connected right off the bat.
    There is a program that I like to use that is called “Proxifier PE” it is the portable edition of a program that is well worth the money. It proxies ALL of you traffic through whatever kind of proxy you wish, and will also proxy DNS traffic for you. So,
    Step 1: Open up Proxifier PE even though you aren’t connected yet. So that it starts trying to proxy all of your traffic. (making sure that putty or whatever ssh client you have is set to not proxy in the Proxifier rules)
    Step 2: Connect to the open wifi
    Step 3: Kick up your SSH session that you already tested so that the key is stored. And you are off to the races.
    If the wifi spot need you to pay, or go through some web site first, have a unaltered copy of Portable Firefox that is set to not proxy in the Proxifier rules, that you only use for this purpose (I keep it in the same folder with putty and Proxifier PE)

  2. That sounds pretty nice!
    It also seems like the only systems I have that don’t talk wildly out of control are the ones that (no surprise!) I do very few things on and monitor the outbound connections; basically my servers and gaming machine. Move to my laptops or my personal machine and things get hairy. Just like an average joe, it’s all the junk we put on these things…
    I’ve never heard of that tool, but it sounds cool enough to check out. In fact, sounds like it might be easier than a bulky OpenVPN setup.

Comments are closed.