Technology Review
A new tool interferes with a website's secure connections.
Most websites use an encrypted connection to transfer sensitive information, including usernames, passwords, and credit-card numbers, over the Internet. In a presentation given this week at Black Hat DC, a computer-security conference in Washington, DC, an independent security researcher who goes by the name Moxie Marlinspike unveiled a tool that can hijack secure connections and trick users into sending sensitive information in the clear.
The attack relies on the fact that most communication over the Internet takes place insecurely. Connections become secure when needed, using the Secure Socket Layer (SSL) protocol. The beginning of the URL shown in a Web browser's address bar reveals what kind of connection has been established. If the address starts with "http," the connection is standard and unencrypted. If it starts with "https," then the connection between the user and the website is encrypted.
But most users do not bother to type in "https" to establish a secure link. Instead, they rely on a website redirecting them to a secure connection when needed. "People only tend to access the secure protocols through the insecure protocols," Marlinspike says.
Marlinspike has developed a software tool called sslstrip that interferes with a website's attempt to direct the user toward that secure communications channel. Sslstrip can be used once an attacker has infiltrated a network to watch passing traffic for anything that might redirect the user to a secure connection--for example, a login button that links to an "https" URL. When the tool sees that information, it strips out the link to the secure page and replaces it with an insecure one. The tool then sits between the user and the website's server, passing information back and forth. But before passing on information to the server, it encrypts it, so that the Web server has no idea that anything is wrong.
Rockmelt is beautifully designed, but a review shows that it could get squeezed by Facebook and Google.
Secure Internet-address-lookup technology readied for .net and .com domains.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
National Instruments has gathered customer information and data regarding some of the cost differences between building a custom solution versus using NI off-the-shelf tools. Using this data, we built the Graphical System Design ‘Build vs. Buy’ Calculator. The calculator can help show the financial differences between building a custom solution versus buying an off-the-shelf system. This paper discusses the benefits and drawbacks of both a traditional custom design approach and off-the-shelf embedded tools.
View full PDF >
Listen to story > 
Our list of the 50 most innovative companies, including the following:
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
colinnwn
88 Comments
Firefox...
Has a "foolproof" way to tell if you are using a SSL connection, as long as you can get the uninformed souls informed about it. The beginning of the location bar turns green, features a lock, and shows the SSL certificate name of the website you are connecting to. So even if this SSLstrip tool were to start encrypting connections to it before forwarding onto the webserver, its certificate name displayed by Firefox wouldn't match the website the person was trying to connect to. That'd raise my bs alarm.
Reply
Erica Naone
70 Comments
Re: Firefox...
It's certainly true that if you're paying attention to that, you can notice in many cases. However, Marlinspike showed one class of examples that I found quite disturbing. There are cases where you go to a site on an insecure connection, and are asked to enter your username and password right there on that front page. Presumably, when you click the login button, it's changing you over to https, but there's literally no visual indicator. (The example page that Marlinspike gave was: http://wachovia.com/). He showed that, if you use sslstrip on the link connected to that login button, there's no way to see anything wrong with that connection until after the user has typed in and sent his username and password.
Reply