Some websites start you on an "http" webpage, and tell you that the submission of your credentials are secure, using SSL.
While ordinarily true, this can no longer be relied upon. According to this paper presented at a BlackHat conference, a combination of ARP spoofing and a man in the middle attack allows the interceptor to capture the insecure "submit" web page before it reaches your PC and modifies the secure submit code to drop SSL.
Then it captures the credentials and, in fact, can establish the SSL connection between itself and the remote webserver.
It can do the reverse on the response, and build the webpage back for the end user.
The solution is to ensure that you are an SSL / https web page before ever starting to enter any secure information
I saw this demo'ed and it looks legit. Whenever new SSL hacks come along, I'm very skeptical. Usually they involved very narrow target sets and lab environments that can be manipulated. This is a real exploit that can be easily pulled off on a public network, like a hotel or WiFi hotspot.
I had the opportunity to see some very shocking SSL related hacks as early as 2-3 years ago and when I talked about them I got a lot of backlash about how I was drumming up unfounded hysteria. People here said the null-insert SSL hack wouldn't work, it did. They said that you couldn't generate an SSL cert that hashed properly, someone did. They said it would be impossible to generate one that would be useful, someone did. I'm not saying SSL should thrown out now, but like any other security method, it's days are numbered. When combined with the security mess that is currently DNS, SSL vulnerabilities are that much more important, and many very smart people are pouring a ton of effort into breaking the system further. Someday soon we will need to come up with something more reliable.
SSL does not work on many pages that have flash or iframes to other sites and it shouldnt. Unfortunately, users expect login boxes on those pages. I don't know if there is a workaround as long as it is accepted that the login box has to be on a secure page only.
That's one reason why the system really has to be revamped. It's still OK to have a secure login box on a non-secure page, as long as the input is sent encrypted. The problem is, it's nearly impossible for the average Joe to know the difference. They just know there is no HTTPS and no lock on the bottom of the browser. It's so confusing that most people just don't know what to do.
I know there is a Firefox addon that will show you whether the field goes to an SSL page if you hover over a link or a form field, but I can't remember the name.
The problem is a lot of those websites have flash and 3rd party javascripts that throw SSL errors when you force SSL.
Third party scripts can also log all activity before the forms are submitted, causing security holes. A good programmer will hide those security holes when SSL is enabled, but removing such scripts/flash might remove some features.
ellory said: what i would like is a firefox addon that would force https web page usage for designated websites.There are some Greasemonkey scripts at userscripts.org that will at least redirect. Just search for SSL, to find them. Some let you manage the list of sites, some have built in lists.
drodge said: I know there is a Firefox addon that will show you whether the field goes to an SSL page if you hover over a link or a form field, but I can't remember the name.
ellory said: what i would like is a firefox addon that would force https web page usage for designated websites.
Excellent idea.
Or ALL web pages for that matter.
Computing power is cheap. Servers should work in SSL mode only. News, e-mail, fatwallet, banking app, crap -- all must do SSL.
I hate, for example, that after logging into gmail, you have to retype https over the http in the URL to force gmail into secure for the duration of the session. Of course, the initial page, after logon, is served in plain text.
tolamapS said: ellory said: what i would like is a firefox addon that would force https web page usage for designated websites.
Excellent idea.
Or ALL web pages for that matter.Agreed
Computing power is cheap. Servers should work in SSL mode only. News, e-mail, fatwallet, banking app, crap -- all must do SSL.Agreed
I hate, for example, that after logging into gmail, you have to retype https over the http in the URL to force gmail into secure for the duration of the session. Of course, the initial page, after logon, is served in plain text.Google provides options to force all its gmail pages to be forced to SSL. Logon to google and explore the options
ellory said: tolamapS said: ellory said: what i would like is a firefox addon that would force https web page usage for designated websites.
Excellent idea.
Or ALL web pages for that matter.Agreed
Computing power is cheap. Servers should work in SSL mode only. News, e-mail, fatwallet, banking app, crap -- all must do SSL.Agreed
I hate, for example, that after logging into gmail, you have to retype https over the http in the URL to force gmail into secure for the duration of the session. Of course, the initial page, after logon, is served in plain text.Google provides options to force all its gmail pages to be forced to SSL. Logon to google and explore the optionsDisagreed. SSL costs twice as much as a no security hosting. May be still considered cheap for some though.
Even more disheartening, the thread started being fully marked read and some people mocking the exploit by comparing it to a phishing attack that only ignorant people fell for.
As far as the list of vulnerable companies in the QuickSummary, I was encourage that the two named companies in the powerpoint (Wachovia and BofA) seem to have closed this hole, but discouraged that even this very short, incomplete list still has a fair number of vulnerable companies
tolamapS said: I hate, for example, that after logging into gmail, you have to retype https over the http in the URL to force gmail into secure for the duration of the session. Of course, the initial page, after logon, is served in plain text.
You can force gmail to use https all times for that matter. check your settings and there is a box you can tick.
Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.
Members of our community may attach files to a post in accordance with the User Agreement. FatWallet is not responsible for the content, accuracy, completeness or validity of any information contained in any attached file. Files have *not* been scanned for viruses. Be especially wary of Excel files which may contain malicious content.
