Skip to navigation
   
Davey Winder's Blog
RSS

SSL not so secure after all?

By Davey Winder in Editorial

Posted in Data Protection, Security, Internet, e-commerce on August 2, 2009 at 9:54 pm

Permalink | Author Profile

With most of the media coverage from the Black Hat Las Vegas conference covering the Apple iPhone SMS hacking story there is always a danger that some other really rather important news gets rather buried away. Such as the small point that security researchers at Black Hat were demonstrating some really rather worrying vulnerabilities that impact upon that most sacred of security protocols, the Secure Sockets Layer.

Moxie Marlinspike showed how man-in-the-middle attacks can fool web browsers and email clients into thinking a fake site was legit, courtesy of flaws in SSL by intercepting traffic by way of a null-termination certificate. Marlinspike has adapted his SSLSniff tool to get spoofed SSL pages and log all incoming and outgoing traffic instead of it going via an encrypted channel. While Firefox 3.5 is protected against the attack, earlier versions are not, nor is Chrome or IE8 although because the latter has code signing certificates as an additional security layer it is harder to pull off.

Dan Kaminsky, yes the same Dan Kaminsky who uncovered the biggest DNS flaw ever last year, was also presenting on SSL insecurity. Along with Len Sassamna he managed to fool one Certificate Authority into issuing a certificate for a domain he did not own by using a naming trick that exploits a vulnerability in the X.509 protocol for generating SSL connections.

12345
Rated: 60% (2 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Pingback by Posts about the iPhone as of August 2, 2009 | Iphone Talk - August 2, 2009 on 10:27 pm

[…] approval, while other ODMs in china are pausing production to see what is actually released. SSL not so secure after all? - itpro.co.uk 08/02/2009 With most of the media coverage from the Black Hat Las Vegas conference […]

Comment by otherbizguy - August 4, 2009 on 6:17 pm

Not only is Firefox immune to sslsniff, but most of the major players also have safeguards in place to prevent this kind of attack. Really, null-termination is only effective on sites without the best encryption, or who use a combination of EV and DV certs, for example (the practice of which has been causing a bit of buzz lately). Really, it’s not SSL that isn’t secure — extended validation is still the strongest encryption around — it’s browser and website development. But, I agree that this shouldn’t be overlooked.

Comment by ed hardy shoes - October 9, 2009 on 8:02 am

i like this

Comment by Prom Gowns - November 4, 2009 on 10:23 am

Hello, I want to thank you for this nice blog.

Trackback by Jeri Macnab - February 9, 2012 on 8:42 am

soap news general hospital…

[…]practice in the location of game[…]…

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

Psychic parental control Developers Digg NASA support InfoSec hubdub politics Bill Gates service gaming Business home office Mafia green ASUS mail open source Project HP Deal Blogging network data worker ROFL MessageLabs science information Johnny Depp Media Trousers innovation iPhone code Education printing compromise Retail trust economy Energy environment universe Licensing Palm shopping scam Big Brother Microsoft scan Android Video lawsuit global report Patents services productivity Netbook cloud world of warcraft Kaspersky banks prison money Browsers carbon copy Sony Nintendo survey documentation Military McKinnon MSNBC SMS teleworking Finjan encryption scareware Review Game books Enterprise Spotify Texting poll VPN Pirate Geeks Gartner Study FBI acquisition Olympics Blog transactional security AMD Digital Footprint Beta Jobs search OCR Psion Space broadband Mobile Phones Trojan wifi archiving e Twitter Ballmer Michael Jackson standards XP Meh Windows Phone 7 Series email remote working hoax computer management Press Facebook workplace help iPhone 3GS Kindle Mobile Phone size theft betting Advertising smartphone ID Theft Notebooks Employment gadgets technology Funny Architecture IDC virtual machine Harry Potter App Store HPC Backlash students Dell Marketing patch management Windows fake Lotus Government Tesco VeriSign second life Russia migration campaign meme Madness Health Internet hardware economics USA hacking hypervisor Rant Music Microchip christmas Apple Kill Switch banking Google App digitise Palm Pre Gadget Research Recall library ecommerce virtualisation desktop web 2.0 Guardian spam IBM memory Conference GSM earth hour Cisco exploit sick black hat BOFH Death SSL China adware nightmare Acer Nexus chips iPhone 3G terrorism Jesus Phone Networks mobile credit crunch Experiment The Federation computers EU Linux Windows 7 Data Centre Flash fraud Web Development man-in-the-middle School Intel Hack Children monetisation MSN biometrics Firefox copyright Adobe Europe linkedin recession Browser payment server hacker tax fool malware Texas Instruments holidays Performance computing credit card fraud President statistics botnet Steve Ballmer Top 10 Gateway Vista console Scotland social networking payments policy web Mars Opinion e-commerce outsourcing avatar Army museum millions Eee news Battery YouTube DNS RAM iPod RATM IP xmas CAPTCHA stupid Porn Software patent virus symantec eBook Paris Hilton BSI privacy Programming work staffing MiniBook football security family Top 500 Yahoo rootkits OS Rumour storage spending ISP Internet Explorer development debian Voice ISPA fun virtual world computing Noro remote law Google Earth Banned Election Eee PC games IT Analysis Supercomputer GMail Zango Obama disclosure PS3 NBC Application Silverlight Kin worm snooping dumb surveys Steve Jobs VM stupidity data protection phishing Sex tech Addiction Apps graphics iPad crime admin Amazon Parenting
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement