We have been promising for a few week a write-up on SSLStrip and now we have finished it!!!!

SSLStrip from John Strand on Vimeo.

SSLStrip basically strips the SSL session between the attacker and the victim. This allows the attacker (or tester) to see all of the data that is being sent to the user in clear text. As far as the server is concerned it is a valid encrypted session.
There are a few interesting things going on with this attack. First from a pen-test perspective it only articulates even more how dangerous man in the middle attacks are when leveraged correctly. Funny thing about that… arp cache poisoning is just as effective as it was 5 years ago. It is getting clearer and clearer to me that if an attacker gets access to an internal network it is pretty close to being over.
So if you are doing pen-testing and you don’t Man in the Middle… Get on board and start doing it.
Now for the second issue. User training. We tell our users that they need to be careful to not click on links for strangers and be carefull what websites they should not go to, but we rarely demonstrate that risk. Why do organizations do pen-tests? The do it to demonstrate risk. Otherwise they tend to do nothing. Is there any reason why we would expect anything less from our users?
The reason I bring this up is that when we do user education we really need to be doing some live demonstrations. For example, we need to demonstrate a browser being compromised. We can also use tools like SSLStrip to demonstrate why that HTTPS is so important. We can also use tools like Web Monkey in the Middle from Dsniff to demonstrate why those certificate pop-ups are kind of important.
I know I am tilting at windmills with user education.
Just a hopeless romantic I guess.

About the author