Man in the Middle Attack: Focus on SSLStrip

Man in the Middle Attack: Focus on SSLStrip

In today’s outlook, SSL enabled websites supposedly offer security and peace of mind; that peace of mind to use your computer to shop or to view your bank account status. While SSL is safe when used properly, there lies a tool that attackers can use against society. That tool is called SSLStrip. SSLStrip can be used in a Man in the Middle attack, which in turn, an attacker could use to falsely gain personal information.

Introduction

SSLStrip was created by an independent hacker known as Moxie Marlinspike. This tool was revealed in the 2009 Black Hat Convention in Washington D.C.. As the tool was presented, it became clear that nothing like this tool had ever been considered. As noted on the personal website of Marlinspike, “It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.” (Marlinspike). This tool undoubtedly has potential for use by attackers ranging from small children acting as hackers or “script kiddies” to the most advanced hacker that makes his or her living from stealing personal information from unknowing users. The actual implementation of the tool also allows for other advanced modes and options. For example, the attacker has an option of including a favicon or a “lock icon” on the webpage either at the bottom of the page or in the address bar to more deceive the users. The entire purpose of the SSLStrip is to deceive the user. The deceit occurs without the inexperienced users knowing anything has occurred.

A review of SSLStrip explains: “The root of the problem of the man-in-the-middle attack is the way that browsers and web sites currently deal with SSL encryption on web pages.” (Enrielt). With the use of the man in the middle attack using SSLStrip, the tool does away with the harsh warning signs that browsers give as indicators of a false certificate or an expired certificate. Normal users will not notice the warning signs, nor will they notice the lock icon missing or the (s) from the https:// in the address bar. Many users do not ever type in the address bar https or http; they normally encounter secure websites through redirects from http. The way that SSLStrip works is by redirecting that traffic to itself and acting as a proxy. For example, a user may open their web browser and enter in the search engine, Gmail. The user will then open the link to Gmail, and as Gmail normally redirects the user to a SSL enabled webpage login, this is where SSLStrip would receive that redirect and basically strip away the SSL enabled features and send the user to a none-SSL enabled version of the website login screen. The attacker then would be able to listen with a packet sniffer and see any and all traffic that is transmitted over their http connection. A study in 2006 by Carnegie Mellon University concluded that using FireFox3, 31% ignored the warnings for an unknown Certificate Authority Warning (Sunshine). With that said, many users, like myself have almost grown accustom to warning signs just like banner ads on a webpage.

The attack

The man in the middle attack is classically how an attacker would ascertain access to information that he or she would not normally be able to see by electronically placing themselves in-between a user and a server. An article states: “SSLStrip does not demonstrate a weakness in SSL encryption, but rather takes advantage of users who fail to look for trusted SSL encryption when sending sensitive information over the Internet.” (DigiCert EV SSL Certificates Protect Users From SSLstrip and Man-in-the-Middle Attacks). Many websites implement a redirect that enables users to visit their website through http but when credentials or personal information is required, the website automatically redirects the user to an SSL enabled website. This common practice is the downfall of any network because that basic redirect can be intercepted and manipulated so that users never get to their intended destination securely.

In the following section I will be explaining exactly how to implement this attack to better explain each process in detail. For my attack I will be using a Linux distribution named Backtrack, which is open source and can be found at http://www.backtrack-linux.org/. For the purposes of this example, I will not be discussing iptables/networking or the specific command options that are issued for each software tool.

In a normal transaction to visit a website (http://example11.com), an http request is sent from the pc to the server listening on port 80 which in turn responds with a redirect to (https://example11.com). The pc then establishes the secure connection which in turn the server gives the certificate. This normal transaction is where the man in the middle can use SSLStrip to