Moxie Marlinspike presented “New Tricks For Defeating SSL In Practice” at BlackHat DC 2009 this week. I listened to the presentation this evening. It is an excellent overview of SSL/TLS implementation vulnerabilities by an individual who is in command of this territory. If you are in a business that depends upon SSL/TLS for a significant portion of your information risk management, I recommend you listen to this presentation too.
I believe most of us need to think through how much we can depend upon SSL/TLS to mitigate the risks associated with attacks on our sensitive information in transit. Marlinspike reviewed the history of SSL/TLS implementation weaknesses and attacker’s clever ideas and technology that leave us currently in a situation where many of our best “secure” web sites are openly vulnerable to man-in-the-middle attacks. All our “locks” and vendor certifications may be rendered impotent to the types of attacks described by Mr. Marlinspike.
Most financial services corporations maintain “secure” Internet-facing customer, marketer, and partner portals. A material portion of our security proposition depends on SSL/TLS for maintaining the confidentiality and integrity of the sensitive information that flows between our servers and our client’s browsers. That equation requires all parties to respect the assumption that there will be onlyone server-browser pair for each session, and any intermediary proxy devices are acting only as purely passive relays. This presentation will put those assumptions to the test. I strongly recommend working through this session, and then doing so again with your information security peers, your application security specialists, and maybe even your management.
After you do, I would like to know what you think and what you might be doing differently in the future?
— References —
A recording of “New Tricks for Defeating SSL in Practice” is available at: http://securitytube.net/Defeating-SSL-using-SSLStrip-(Marlinspike-Blackhat)-video.aspx and the slides are available at: http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
Contact Moxie Marlinspike at:moxie at thoughtcrime.org