SSL Encryption hacked

No, don’t worry, it doesn’t quite mean the end of the world as we know it. SSL encryption itself is still reliable and safe. That isn’t entirely true of websites using it though.

In a little reported paper at the 2009 Black Hat Security conference in New York, hacker Moxie Marlinspike demonstrated a successful man-in-the-middle attack on a secure website.

The exploit involves using an application called SSLstrip, which can be used in a network to capture user logons to secure websites as well as personal information such as credit card nuimbers. Moxie claimed that he had used to technique to capture user information from PayPal, Facebook, Gmail, Hotmail and Ticketmaster. In one day, 117 email accounts were hacked and 16 credit card numbers were captured. Add to that 7 PayPal logins and hundreds of other secure logins.

The weak links in the security chain are the insecure web pages that link to secure services. By intercepting an insecure HTTP web page, such as a bank website home page, the exploit then serves the user a non-HTTPS, insecure, version of the secure web page. Although browser indications of security, such as padlock symbols, do not appear, Moxie explained how it was possible to make a similar symbol appear in the browser address bar.

The exploit suggests that the only really secure way of accessing a secure website is to enter the URL manually, ensuring you include the crucial ‘https://’ at the beginning.