Monday, March 16, 2009

sslstrip - Not just another way to mess with ssl

| Armando Romeo |
sslstrip is a research powered by Moxie Marlinspike presented at Blackhat DC 2009 that demonstrate an innovative and quite simple (to understand) way to read SSL traffic.

I spent yesterday night watching the amazing video of Moxie's speech. At first I thought it was just another ssl MITM attack tool. Instead it turned to be a completely new way of performing achieving the same result: reading SSL traffic.

The following two images will be clearer than many words:

1. This is the old sslsniff method:

sslsniff has been used by Alex Sotirov et al. for the MD5 collision project presented last 30th December.

2. This is the sslstrip method , A new kinf of man in the middle (to quote Moxie).

From client to hacker connection is kept on HTTP, while on the server side the connection is

The idea behind sslstrip downloadable here, is to revert SSL requests from client to target server into HTTP requests, thus forcing the client to send data not encrypting it.

This is possible, according to Moxie because there are usually 2 ways to turn a connection from http to https:
  1. 302 redirects
  2. clicking on links
So everytime sslstrip intercepts a request for an https resource (like login request), sslstrip initiates a secure connection to the target server and responds to the client with an html completely identical to the correspondent secure page retrieved from the target server.

The server will be unaware of the attacker being in the middle, while the attacker relies upon tricks to make client think that the page he views is secure.

Firefox, as shown in the presentation, no more exposes the location bar with a yellow background, while the lock favicon, usually shown in SSL connections, can be easily changed.

Results acting as a node in the Tor network:


Refer to the slides or the nice conference video for more detailed information on the attack.

Free Security Magazines