Black Hat Presentation Highlights SSL Encryption Flaws 152
nk497 writes "Hackers at the Black Hat conference have shown that SSL encryption isn't as secure as online businesses would like us to think. Independent hacker Moxie Marlinspike showed off several techniques to fool the tech behind the little padlock on your screen. He claimed that by using a real world attack on several secure websites such as PayPal, Gmail, Ticketmaster and Facebook, he garnered 117 email accounts, 16 credit card numbers, seven PayPal logins and 300 other miscellaneous secure logins."
Re:Oh god (Score:4, Informative)
OK: "Some implementations of SSL encryption are flawed. These can be fixed. SSL encryption itself is not flawed."
The same guy. (Score:2, Informative)
This is the same guy who published the infamous basic constraints IE vulnerability [thoughtcrime.org] a few years ago. His website and the software is www.thoughtcrime.org [thoughtcrime.org]
Re:It's not a problem with SSL /per se/ (Score:3, Informative)
Alternatively, he might redirect from https://secure.example.com/ [example.com] to https://secure.example.com/.ijj.cn [example.com], except that the slashes and dots in the last example are unicode characters that look like slashes and dots, so they don't register with the browser in the same way. He gets a legit cert to *.ijj.cn, then logs everything and forwards your responses to the address before .ijj.cn. For long URLS (which many secure logins have), the trailing .ijj.cn ends up past the end of your URL bar, and you don't notice.
After seeing Moxie's presentation, I'll be double checking every URL that needs to be secure to verify the 'https' protocol, and doesn't have any unusual endings. For things like the bank, I'll probably just bookmark the https version and never request the http version.
This is an X.509 problem (Score:2, Informative)
Re:Odd choice of words (Score:4, Informative)
It's not a conspiracy theory. It appears that a lot of businesses have concluded that occasionally eating the loss on a fraudulent transaction is cheaper than fixing problems.
Maybe it should be "...isn't as secure as online businesses would like it to be."
If they "would like it to be" secure all they would have to do is spend more money on their infrastructure to encrypt everything. So, while it's not a "conspiracy", users who trust sites like paypal or their bank should be upset that these businesses have decided that security is too expensive. Users should be upset that big sites that handle money have decided that it is cheaper to wait for you to notice that money is missing, contact them, and then credit your account (maybe). And if you don't notice, well... it's not their responsibility.
I think that it is in the interests of businesses as well as their customers for SSL transactions to remain secure.
I would think so, too. However, people who run these companies' IT appear to have come to a different conclusion: Spend a certain amount of money on a somewhat secure system, and then put the responsibility on the customer to notice fraud. If noticed, credit the customer's account. Since the problems with mixing secure and non-secure elements have been known and exploited for years, we can conclude that these companies have done their cost-benefit analysis on the current way of doing things and found it to be acceptable.