Thursday, February 19, 2009

(In)Secure Sockets Layer

Secure Sockets Layer (SSL) is what your browser uses to securely send your private data over Al Gore's Intarwebz. It's the base on which all electronic transactions are built. It's the "s" in "https", the "Secure" HTTP.

And it seems that it's broken:

Website encryption has sustained another body blow, this time by an independent hacker who demonstrated a tool that can steal sensitive information by tricking users into believing they're visiting protected sites when in fact they're not.

Unveiled Wednesday at the Black Hat security conference in Washington, SSLstrip works on public Wi-Fi networks, onion-routing systems, and anywhere else a man-in-the-middle attack is practical. It converts pages that normally would be protected by the secure sockets layer protocol into their unencrypted versions. It does this while continuing to fool both the website and the user into believing the security measure is still in place.

What's particularly disturbing is that what's really broken is not the encryption, but authentication: the bit that tells you that you're actually communicating with the site you think you are.

Is it Amazon.com, or is it a fake? Is it paypal, or a fake? Your bank, or a fake?

A couple of days ago, I said that it's hard for folks like me - who pay way too much attention to this sort of thing - to tell if a web site has good security or not. Now it's not possible if the web site that you think you're accessing is actually the web site.

The URL in the address bar? It can be faked.

The lock icon at the bottom of the page? It can be faked.

The entire web of trust, where Certification Authorities vouch for the organization that runs a web site? You can fake that, too.

If you're a little (but not too) technical, and if you're remotely interested in this, check out the presentation slides.

Now this would be an interesting but highly theoretical threat, except for one thing. Last summer, the Domain Name System (DNS) was shown to have a huge, massive, gaping security hole. So big, in fact, that anyone who wanted to (and knew how) could pretend to be any site they wanted.

That too was interesting but pretty theoretical - after all, it doesn't help you to masquerade as amazon.com if you can't fake the SSL security that the site uses?

Now it doesn't matter. Yes, it's actualy more subtle than this - go read the slides. The bottom line is that you can go to a site that looks entirely legitimate (legitimate to a careful security geek like me), and find that it was a physher who nabbed your credit card.

Quite frankly, I'm not sure what to think here. This seems like it's really, really bad news. I plan on being extra paranoid. In particular, if you order something from Amazon or (shudder) bank online, and if you usually get an email confirmation after a transaction, watch for that email. Not that it can't be faked, too, but the more that the Bad Guy has to do to support his fakery, the more opportunity he has to mess up. Granted, it's not a lot, but everything helps.

No comments: