A friend of mine said that he saw the SSLstrip presentation from BlackHat DC 2009 and asked me if he should be afraid. Here is the advice that I gave:
- you shouldn’t be afraid. Fear is a bad motivator because it wants to force you to act quickly. A much better concern is informed concern.
- if someone really wants to get to you (think TLA’s – Three Letter Agencies, but also some very skilled individuals are in this category), they can, so I’m talking here about the shotgun-type attacks which are people are much more likely to encounter
- the good news: this attack requires someone to be “in the middle” of your conversation (it is a Man-In-The-Middle type of attack). Such attacks can be executed using things like ARP poisoning or BGP hijacking.
- the bad news: it is a MITM attack 🙂 There are already quite a few malware in the wild with the capability to do ARP poisoning in an automated way and it is quite likely that (in the near future) they will add these methods to their arsenal
What can you do? If you are using Firefox, use the NoScript extension to force sites into HTTPS mode. As a site owner you might want to ensure that “secure” domains are only accessible via HTTPS (for example secure.example.com is listening only on 443 not on 80). This of course is not always possible.
Further info (from the Security4all blog):
Presentation slides and a video of the presentation. Below you can see a short interview about the topic:
Picture taken from JoVivek’s photostream with permission.