Thursday, February 19, 2009

Is Your SSL Web Transactions Secure? BlackHat Conference Says NO!

You may have seen the padlock mark on your browsers status bar when you visit a secure site that begins with HTTPS://. You know it is secure, you conduct you banking or ecommerce transaction because certificate provider like Verisign says that the session is secure. An independent hacker at Blackhat conference has shown otherwise.
Independent hacker Moxie Marlinspike demonstrated a number of ways the “chain of trust” intercepted during a SSL encrypted transaction at the Black Hat security conference in Washington DC.
Marlinspike claimed that by deploying attack using free software tool called “SSL Strip” on several secure websites such as PayPal, Gmail, Ticketmaster and Facebook, he garnered 117 email accounts, 16 credit card numbers, seven PayPal logins among many other secure logins.

Sphere: Related Content

1 comment:

Anonymous said...

Not an original ideia of Moxie Marlinspike himself. In fact you can implement the same trick by using a Reverse Proxy (locally) and launching your MITM attack using ARP spoof to fool the victims machine into thinking you are the local gateway.

Keep in touch,