Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Most websites use an encrypted connection to transfer sensitive information, including usernames, passwords, and credit-card numbers, over the Internet. In a presentation given this week at Black Hat DC, a computer-security conference in Washington, DC, an independent security researcher who goes by the name Moxie Marlinspike unveiled a tool that can hijack secure connections and trick users into sending sensitive information in the clear.

The attack relies on the fact that most communication over the Internet takes place insecurely. Connections become secure when needed, using the Secure Socket Layer (SSL) protocol. The beginning of the URL shown in a Web browser’s address bar reveals what kind of connection has been established. If the address starts with “http,” the connection is standard and unencrypted. If it starts with “https,” then the connection between the user and the website is encrypted.

But most users do not bother to type in “https” to establish a secure link. Instead, they rely on a website redirecting them to a secure connection when needed. “People only tend to access the secure protocols through the insecure protocols,” Marlinspike says.

Marlinspike has developed a software tool called sslstrip that interferes with a website’s attempt to direct the user toward that secure communications channel. Sslstrip can be used once an attacker has infiltrated a network to watch passing traffic for anything that might redirect the user to a secure connection–for example, a login button that links to an “https” URL. When the tool sees that information, it strips out the link to the secure page and replaces it with an insecure one. The tool then sits between the user and the website’s server, passing information back and forth. But before passing on information to the server, it encrypts it, so that the Web server has no idea that anything is wrong.

2 comments. Share your thoughts »

Credit: Technology Review

Tagged: Computing, security, Internet, browser

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me