Website danger as hacker breaks SSL encryption

The Black Hat conference in the US shows that software can be used to steal information from sites you may think are secure.

Independent hacker Moxie Marlinspike has unveiled new techniques to defeat SSL encryption, which would leave common web applications such as online banking or secure website logins vulnerable to attack.

This would mean that the padlock icon in the corner of supposedly safe' websites and touted as optimal security by companies like Verisign may not be as safe as people generally believe.

Marlinspike revealed his findings at the Black Hat security conference in Washington DC, showing a number of ways where the "chain of trust" fell apart around SSL encryption.

He looked at the possibilities for new vectors of attack against HTTPS, the combination of HTTP and a network security protocol, which are often used for payment and sensitive corporate transactions.

Marlinspike also revealed a free software tool called "SSL Strip", which could be deployed on a network and used for a man in the middle attack on all potential SSL connections.

It stripped away the SSL encryption, substituting a look-alike HTTPS site, while still convincing the user and website the security was in place.

He claimed that by using a real world attack on several secure websites such as PayPal, Gmail, Ticketmaster and Facebook, he garnered 117 email accounts, 16 credit card numbers, seven PayPal logins and 300 other miscellaneous secure logins.

Click here for a video interview with Marlinspike.

The SSL encryption hack wasn't the only threat highlighted at Black Hat. Zscaler security researcher Michael Sutton sounded a warning against features that allowed offline access to websites.

He stressed that offline web applications such Gmail and Gears were secure, but warned that other sites with poor security risked visitors losing their data.

As well, Vietnamese researcher Duc Nguyen also demonstrated how he and his partners cracked the facial recognition technology used by Lenovo, Asus and Toshiba on their laptops.

They cracked the tech simply by using a picture of a person instead of their real face, as well as by presenting multiple phony facial images.

The researchers concluded that it was sufficient evidence that the biometric authentication used by the manufacturers was not secure enough.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

Hacked PayPal accounts tripled in value during pandemic
hacking

Hacked PayPal accounts tripled in value during pandemic

8 Sep 2021
PayPal to put hate group funding under the microscope
Security

PayPal to put hate group funding under the microscope

26 Jul 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Citrix mulling potential sale after tumultuous 2021
mergers and acquisitions

Citrix mulling potential sale after tumultuous 2021

15 Sep 2021
Hackers develop Linux port of Cobalt Strike for new attacks
Security

Hackers develop Linux port of Cobalt Strike for new attacks

14 Sep 2021