Website danger as hacker breaks SSL encryption
By Asavin Wattanajantra,
Independent hacker Moxie Marlinspike has unveiled new techniques to defeat SSL encryption, which would leave common web applications such as online banking or secure website logins vulnerable to attack.
This would mean that the padlock icon in the corner of supposedly ‘safe’ websites and touted as optimal security by companies like Verisign may not be as safe as people generally believe.
Marlinspike revealed his findings at the Black Hat security conference in Washington DC, showing a number of ways where the “chain of trust” fell apart around SSL encryption.
He looked at the possibilities for new vectors of attack against HTTPS, the combination of HTTP and a network security protocol, which are often used for payment and sensitive corporate transactions.
Marlinspike also revealed a free software tool called “SSL Strip”, which could be deployed on a network and used for a man in the middle attack on all potential SSL connections.
It stripped away the SSL encryption, substituting a look-alike HTTPS site, while still convincing the user and website the security was in place.
He claimed that by using a real world attack on several secure websites such as PayPal, Gmail, Ticketmaster and Facebook, he garnered 117 email accounts, 16 credit card numbers, seven PayPal logins and 300 other miscellaneous secure logins.
Click here for a video interview with Marlinspike.
The SSL encryption hack wasn’t the only threat highlighted at Black Hat. Zscaler security researcher Michael Sutton sounded a warning against features that allowed offline access to websites.
He stressed that offline web applications such Gmail and Gears were secure, but warned that other sites with poor security risked visitors losing their data.
As well, Vietnamese researcher Duc Nguyen also demonstrated how he and his partners cracked the facial recognition technology used by Lenovo, Asus and Toshiba on their laptops.
They cracked the tech simply by using a picture of a person instead of their real face, as well as by presenting multiple phony facial images.
The researchers concluded that it was sufficient evidence that the biometric authentication used by the manufacturers was not secure enough.
You may also like...
You may also like...
advertisement
Latest Security Features
The trials and tribulations of social networking
As a business, you may be examining how to take advantage of social networking sites. Before you leap into the fray, take heed of the mistakes others have made before you.
- NO2ID on fighting the database state
- Building a better password
- Q&A: George Kurtz, CTO, McAfee
- Is mobile malware really a risk?
- Fear and loathing in the Mariposa aftermath
- Public vs private: Which cloud is best for business?
- Q&A: Gerhard Eschelbeck, chief technology officer at Webroot
- How the Digital Economy Act will affect your business
- Cyber war: Modern warfare 2.0
Latest Security Reviews
Kaspersky Internet Security 2011 review
Rating: 
- G Data Software EndpointProtection Business review
- eSoft InstaGate 806 review
- M86 Security Secure Web Gateway 5000 review
- Google Maps Navigation review
- Netgear ProSecure UTM10 review
- ZoneAlarm DataLock review
- SmoothWall Guardian SWG-1208 review
- Symantec Backup Exec 2010 review
- WatchGuard XCS-770 review
advertisement
Most popular
- Government calls mobile broadband spectrum auction
- Sony Ericsson Xperia X10 Mini Pro review
- UK web guru handed key to the internet?
- Samsung Galaxy S review
- 100 million Facebook user info scraped
- HTC Hero to finally get Android 2.1 update
- Top 10 remote desktop applications
- Amazon sets UK Kindle launch date
- Head to Head: Office 2010 vs Open Office 3.1
- Top 10 future trends for mobile phones
Latest News Videos in Security
Video: Why security is everybody's responsibility
PlayRik Ferguson, senior security advisor at Trend Micro says it's up to all of us to make security work.
Whitepapers
Want more background on today's hottest IT trends?
Visit IT PRO's whitepaper library for more on virtualisation, encryption and other topics.
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
Further Details on Gears Based Client Side SQL Injection
For those interested, a blog posting detailing the attack outlined in the article is available at: http://research.zscaler.com/2009/02/practical-example-of-cssqli-using.html Michael -- Michael Sutton VP, Security Research Zscaler
By Ip_michaelsutton on Thursday Feb 19
stupid article
guise, what a lame pice of crap. a) betwen xmas and newyear 2008 the first working SSL attack was demontrated at 23c3. so you're like ... 2 month late. *applaudes* b) verisign? try https://verisign.com/ and check their SSL certificate.
By Ip_chmidder01caa on Friday Feb 20
Not a new trick.
Not an original ideia of Moxie Marlinspike himself. In fact you can implement the same trick by using a Reverse Proxy (locally) and launching your MITM attack using ARP spoof to fool the victims machine into thinking you are the local gateway. Keep in touch, 2600@bol.com.br
By Ip_260092efed132 on Sunday Mar 1