How do you exploit Hypertext Transfer Protocol Secure (HTTPS), tightly wrapped in SSL or TLS?
You don’t, says Moxie Marlinspike. You exploit the HTTP it’s built on. If you think about it, he told a Black Hat DC Briefings audience Wednesday, people encounter SSL by clicking on a link and being redirected to an HTTPS-secured page, when they log into banking, webmail or shopping websites. Marlinspike unveiled a hacking technique which intercepts Web traffic and tricks users into giving up passwords and other sensitive information. With the aid of a new tool called SSLstrip, Marlinspike demonstrated how easy it is to trick users that they are on a trusted, secure website. “People only encounter HTTPS via HTTP, so maybe we can think about starting by attacking HTTP,” he said. “Normally, if we’re doing man-in-the-middle attacks against SSL, we go straight for SSL, straight after that connection. But if SSL depends on this other protocol, why don’t we look at that first?” The trick, said Marlinspike, is duplicating a Web environment in which people are comfortable, in which they feel
