Attack on SSL Users Discovered, Tool Sources Released

Feb 25, 2009, 17:04 (1 Talkback[s])
(Other stories by Nils Magnus)

"Often users ignore warning dialogs and click through them. In the case of an sslstrip intervention, the user doesn't even get the warning dialogs, because no apparent invalid HTTPS connection is created. His browser simply doesn't create a secure connection. The kind of MITM attacks this can provide, and how users might be totally unaware of them, is clearly indicated in Marlinspike's "New Tricks for Defeating SSL in Practice" slides."

Complete Story

Related Stories:

• Widespread vulnerabilities found in programs which use OpenSSL(Jan 10, 2009)
• Perspectives Extension Improves HTTPS Security(Oct 22, 2008)
• After Debian's Epic SSL Blunder, A World of Hurt for Security Pros(May 22, 2008)
• Linux Postfix Mail Server SSL Certificate Installations and Configuration(Jul 16, 2007)