WASHINGTON D.C We all rely on SSL and HTTPS to secure our web transactions. That’s why Moxie Marlinspike’s session at Black Hat DC on SSL/HTTPS attacks just blew my mind and has me ‘concerned’ to say the least.
Marlinspike demonstrated how a new tool he has developed called sslstrip – can trick browsers into thinking they are on an SSL/HTTPS secured site when in fact they are not.
The implication is that all the traffic from the regular HTTP site could then be easily collected by an attacker since the information is not secured.
“Lots of time the security of HTTPS comes down to the security of HTTP and HTTP is not secure,” Marlinspike told the capacity crowd.
Marlinspike is no stranger to getting around SSL security. In 2002 he released the -sslsniff – tool that could be used in a man in the middle attack to inject an illegitimate SSL certificate into an HTTP stream, tricking a user into thinking they were on an the legitimate SSL secured site (when in fact they were not).
So how do you protect yourself? Read more after the jump.