Wednesday, April 21, 2010

Tor Exit Node + sslstrip

Site of the day: http://www.seobook.org/

sslstrip, hijacking SSL in network

posted Feb 23rd 2009 7:25pm by Eliot Phillips

Last week at Black Hat DC, [Moxie Marlinspike] presented a novel way to hijack SSL. You can read about it in this Forbes article, but we highly recommend you watch the video. sslstrip can rewrite all https links as http, but it goes far beyond that. Using unicode characters that look similar to / and ? it can construct URLs with a valid certificate and then redirect the user to the original site after stealing their credentials. The attack can be very difficult for even above average users to notice. This attack requires access to the client’s network, but [Moxie] successfully ran it on a Tor exit node.

This is a hacker’s hack – a really cool proof of concept. But in the real world, someone would have to hack your bank, your ISP or your home network. If they root the bank (e.g. Heartland) why bother with SSL traffic, just get the raw data. If they get your PC, they can grab keystrokes regardless of how good the network security is. And let’s face it, there are a lot of people who can be fooled by a site that just looks the same, never mind the URL or certificate. Although, just maybe, a wireless hotspot at a hotel or cafe might be a candidate for sslstrip. I think it would be hard – diverting traffic through a PC instead of going straight to a switch – but it’s probably easier than hacking an ISP or bank.

The paper is worth a read:
http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
.. hey, maybe combine it with the BGP attack: https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf (that was amazing – stole all the DEFCON traffic for an hour or so..)

(http://hackaday.com/2009/02/23/sslstrip-hijacking-ssl-in-network/)

Tool to check for bad nodes:
http://code.google.com/p/torscanner/

Articles:
http://www.forbes.com/2009/02/18/black-hat-hackers-technology-security_0218_blackhat.html
http://www.wired.com/threatlevel/2009/07/kaminsky/


Read also:
http://archives.seul.org/or/talk/Jan-2010/msg00161.html

2 comments:

  1. Thanks for sharing, this is a fantastic post.Really looking forward to read more.

    ReplyDelete
  2. I like this post. I visited your blog for the first time and just been your fan. Keep posting as I am gonna come to read. Thanks for sharing. keep it up.

    ReplyDelete