The Web’s Design Flaw
Pop quiz! Be honest as you answer these questions:
b. http://bankname.com
c. https://bankname.com
2. When you receive an SSL error or warning, what do you do?
b. Jump through hoops to continue on to the next page.
c. Carefully consider the error and make an informed decision about whether you want to continue.
3. When you type a password into a web page, do you always look for the lock icon in your browser and view the source of the page to ensure the submit goes to an https:// address?
b. Sometimes, just on my banking website.
c. Always. Every time. Guaranteed.
Well, if you answered anything other than C for the above questions, let me introduce you to your worst nightmare: sslstrip. The author of this program realized that most people don’t type in the https prefix, and don’t look closely for padlock icons; people don’t care about security, they just expect it to work. Most of the time, the way you get to SSL pages is by clicking on links, or being redirected with an HTTP 302 status.
sslstrip takes advantage of this, and transparently hijacks HTTP traffic, replacing all HTTPS links and redirects with look-alikes. It even can supply a favicon which looks like a browser’s lock icon.
It’s pretty evil, actually. Of course it requires that the attacker running sslstrip has already compromised your network, through ARP spoofing, DNS poisoning, or otherwise having your traffic routed to the attacker. Good luck noticing if it’s being used against you. The author used it on a TOR node — note that TOR is generally used by people that are paranoid by their privacy and security — and collected 254 passwords over a 24 hour period.
What’s the fix? As far as I’m concerned, there isn’t one. It’s a design flaw with the way most “secure” websites work today. Do you have ideas on how to prevent this attack? Let us know in the comments.
One thought on “The Web’s Design Flaw”
My browser types http for me… Can I fix it?
Comments are closed.