Used to secure connections between sites and browsers, this protocol is blacklisted by many experts. The SSL 3.0+ is vulnerable to an attack of the type “man-in-the middle”: it is what announces on his blog, Ray Marsh, a developer working for the company Phone Factor. He confirms that it is possible to intercept traffic SSL (Secure Sockets Layer) made between the authority issuing the digital certificate and a website. Subsequently, the attacker may create a false certificate can fool the user, who believes being on a secure (padlock and green bar visible on the browser). This type of attack could allow an attacker to steal passwords to control your online banking session, or to install an update for Firefox which contains malicious code.
However, an attack of this kind is far from being simple to implement and can be deployed on a large scale. It requires both creating a certificate specific to each target (the website you will impersonate) and redirect the user to the illegal IP address (for example, a fake bank site).
An outmoded mechanism
In reality, this type of announcement only confirms the limits of the SSL protocol. This summer at the Black Hat of Las Vegas, but during the Hack.lu last October 30 in Luxembourg, a hacker named Moxie Marlinspike had demonstrated that there were tools, which SSLstrip that he developed, allowing exploit vulnerabilities in the SSL and creating false certificates. According to researchers, the problem is, including the infrastructure system of the X.509 public key. Used to manage digital certificates, it has become obsolete.
Mid-October, Microsoft released two patches for X.509 flaws revealed at Black Hat by Marlinspike. Web browsers and mail clients have also made updates.
Tags: Internet Protocols, Internet Security, SSL, Web
