Security researchers have found another way to bypass aspects of the technology which protects ‘secure’ Web sites. It could trick users into handing over personal details to hackers.
The latest flaw was revealed this week at the Black Hat security conference in Washington which is named as a dig at the idea that ‘white hat’ hackers are simply trying to uncover vulnerabilities while ‘black hats’ are criminally motivated.
A delegate using the name ‘Moxie Marlinspike’ demonstrated a program he’d written called SSLStrip designed to take advantage of the way encrypted sites (those which begin https:// and bring up the padlock symbol) work.
The program takes advantage of a flaw in the programming behind the Secure Sockets Layer (SSL) system and creates a bogus Web page that appears where the user is expecting to see a secure page on a genuine site. They can then be tricked into typing user names, passwords and other personal details into supposed log-in screens.
When carefully crafted, the only easily noticeable difference is that the bogus page starts with http:// rather than https:// — and in practice few people would notice. During a 24 hour test, ‘Marlinspike’ obtained 254 passwords from users of major sites such as PayPal. Nobody who saw the bogus log-in screens left the site without typing in their details.
The program can even use a psychological trick by replacing the sites favicon (the small symbol to the left of the address bar which is usually a site logo) with the padlock symbol, as pictured above.
And to make things worse still, the program can even be set up to create a security certificate which triggers the https:// prefix (which is then completed with the genuine site domain and a string of random letters to create a plausible address).
The program has been tested on Firefox and Safari, but ‘Marlinspike’ says it should also work on Internet Explorer. He says the most logical solution would be for users to manually type in https:// addresses rather than follow links, but acknowledges that’s unlike to catch on in practice. Other than that, he says there’s no simple solution other than to encrypt every page even if it doesn’t ‘need’ to be secure.