host posted on February 21, 2009 08:36
Online Banking and online trading is not safe; Secure Socket Layer (SSL) security is an illusion - February 19, 2009
As many of you know, aaacomputer.com has discouraged the use of online banking because of concerns that your bank account user name and password could be stolen when you log into your online bank account and then used to empty or transfer everything in your bank account to the bank account of someone else.
This past week in Washington DC, on 2.19.2009, at the Black Hat Security Conference,
https://www.blackhat.com, these warnings were officially confirmed when security researcher Moxie Marlinspike showed how he captured 117 e-mail accounts, 16 credit card numbers, seven PayPal logins, and some 300 other miscellaneous secure login sessions in only 24 hours, all from supposedly secure sites that used SSL. Marlinspike explained that he obtained this protected data by placing proxy software he'd written, called "sslstrip," to conduct what's commonly known as a "man-in-the-middle" attack.
The proxy software he created intercepts HTTPS traffic, generates and signs security certificates, and in the process, captures all the data passing between the client and server, like between your web browser and your bank web site, which means he can save all the data transferred, including passwords and usernames, in the process. There may be ways to detect this type of attack, like recognizing that a Web URL begins with HTTP instead of HTTPS, but not one of the test victims noticed these small web site address changes. The attack can also be enhanced by adding other symbols which would suggest to most users that the session is secure even if it's not. This method could also be changed to include a "homograph attack", which uses letters from different character sets to spoof well-known Web sites. For example, in 2005, security researcher Eric Johanson described such an attack using a Cyrillic 'a' in "www.paypal.com" to create a PayPal doppelganger site.
Marlinspike's attack, while technical, also includes some social engineering. It can only work if users do not realize or notice that there is a difference between HTTP and HTTPS sessions, but as noted in his results, not one user noticed this change. This software and these oversights allowed Marlinspike to bypass SSL entirely. Marlinspike noted, as other security analysts have noted in the past, that "lots of times the security of HTTPS comes down to the security of HTTP, and HTTP is not secure".
What does this mean to you? If you want to protect your money, do not do any banking or stock trading online.