(Page 2 of 2)
Marlinspike admits that some users might notice that something is wrong because browsers often show that a connection is encrypted by placing a lock in the corner, and that would be absent. However, he says that many sites feature confusing design elements that could easily make users think that a connection is secure when it isn't. For instance, some sites show the lock icon in the login window, informing the user that the link is supposed to lead to an encrypted page. Certain banking websites also provide no indication that they are about to switch to an encrypted connection, meaning the user may not realize that anything has gone awry. Marlinspike even showed several ways that the attack could be made more covert, by creating an encrypted link with the user.
Marlinspike tested sslstrip by collecting data from Tor, an openly accessible network for anonymizing Web traffic. Over 24 hours, he collected login details for 117 e-mail accounts, 16 credit-card numbers, 7 PayPal logins, and 300 other postings that were intended to be secure. He monitored to see if anyone would balk at using an insecure connection; no one did.
Dan Kaminsky, a well-known security researcher and director of penetration testing for the Seattle-based security company IOActive, says that Marlinspike has expertly exploited several problems that have been known about for years. "It's not like [those problems are] going away," Kaminsky says, "and that matters."
Kaminsky adds that the problem does not lie with Web browsers, website owners, or users. "What we're doing isn't working," he says. "I think we're missing critical pieces of infrastructure that we need to secure the Internet."
One way to add another layer of security to the Internet, Kaminsky argues, would be to introduce a new secure protocol called DNSSEC, for linking Web servers to domain names. He believes that DNSSEC could be configured to instruct browsers to connect to certain sites using only an "https" connection.
Marlinspike is skeptical that such a major overhaul of the Web's existing structure would work. He also says that owners of websites could introduce design changes to help make the difference between a secure connection and an insecure one clearer. Ultimately, however, he believes that a proper solution will be elusive so long as most traffic is sent over the Internet in an insecure fashion.
Rockmelt is beautifully designed, but a review shows that it could get squeezed by Facebook and Google.
Secure Internet-address-lookup technology readied for .net and .com domains.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
This document is part of the “How-To Guide for Most Common Measurements” centralized resource portal. This tutorial provides a detailed guide for measurement and device considerations to take temperature measurements using thermocouples. Get an introduction to thermocouples, which are inexpensive sensing devices widely used with PC-based data acquisition systems. Also review some specific thermocouple examples and learn how thermocouples work and ways to integrate them into a data acquisition measurement system.
View full PDF >
Listen to story > 
Our list of the 50 most innovative companies, including the following:
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
colinnwn
88 Comments
Firefox...
Has a "foolproof" way to tell if you are using a SSL connection, as long as you can get the uninformed souls informed about it. The beginning of the location bar turns green, features a lock, and shows the SSL certificate name of the website you are connecting to. So even if this SSLstrip tool were to start encrypting connections to it before forwarding onto the webserver, its certificate name displayed by Firefox wouldn't match the website the person was trying to connect to. That'd raise my bs alarm.
Reply
Erica Naone
70 Comments
Re: Firefox...
It's certainly true that if you're paying attention to that, you can notice in many cases. However, Marlinspike showed one class of examples that I found quite disturbing. There are cases where you go to a site on an insecure connection, and are asked to enter your username and password right there on that front page. Presumably, when you click the login button, it's changing you over to https, but there's literally no visual indicator. (The example page that Marlinspike gave was: http://wachovia.com/). He showed that, if you use sslstrip on the link connected to that login button, there's no way to see anything wrong with that connection until after the user has typed in and sent his username and password.
Reply