As some of you may have noticed, there’s a lot more going on in the SSL world and a lot more to come thanks to guys like Mike Zusman, Alex Sotirov Moxie Marlinspike and so on… Papers forthcoming, but in the mean time I thought I’d point out a pretty nasty UI issue with the iPhone, since it’s been something I’ve been meaning to post about for a while. Given the rise in mobile computing as a legitimate way to do business, I think this kind of thing is going to become more important. If an attacker can gain MITM access through a public wifi that the iPhone is using, they can intercept a page that the user normally uses and trusts somewhat, but doesn’t necessary trust with any sensitive data (like a blog or forum that they frequently visit for instance).

What you’re seeing is a 1×1 pixel iframe (doesn’t need to be visible, but it’s good for testing purposes) to https://www.bofa.com/ which uses an invalid certificate. Don’t ask me why one of the largest banks on earth can’t get their certs in order - that’s just the way it is. Anyway, let’s pretend instead of it being incredible sloppiness, it’s actually a MITM. The user is presented with a popup that in no way explains to them what the cert they are accepting is for. So their first instinct would be to accept it, because they aren’t going to be putting any sensitive information into the page anyway. The problem is that the cert stays with the browser session - so it will continue to work, when the user does eventually surf to their bank or whatever SSL page you’ve MITM’d.

Compare that to the desktop version of Safari, where it at least tells you that it’s related to www.bofa.com. Still not the greatest visual cue but it’s something. Incidentally, during this testing I messed around with some of the old tricks and found out that that Safari still suffers from the old URL obfuscation tricks of ages past. Eg: http://www.bofa.com@ha.ckers.org/. *sigh*

Before I begin this post, let me just say, I’ve always been a huge huge fan of technology. I’ve got more insane tech than almost anyone I know (I know a HD Moore, though, so I don’t win that geek war, but I’m close). And I also like to think I’ve got a firm grasp of the web, but every once in a while something strikes me as just simply stunning. Go here, and watch it - I suggest making it full screen: the new GE smart grid website. Go visit it before you read the rest of this.

I admit it, I’m amazed. It’s very very cool tech. It’s the wave of the future, and as much as I’d like to pretend I think it’s a terrible idea, I don’t. It’s just amazing. Annnnd just as I’m getting ready to set up my printer, get my camera ready, install a plugin and give it complete access to my camera… I pause, as my security brain finally wakes up from it’s amazement. I think we’re soon reaching an inflection point, and in many ways have just simply skipped way past it. What’s the point of the web? Is it to delight and amaze? Is it to allow better consumerism? Is it for communication? Is it to impart information? Is it to download porn? Is it all of those things?

How can we possibly secure ourselves when amazing applications are finally on the horizon that make even hardened security folks want to drop all their guards to join in the party? Am I becoming a Scrooge? “Cool tech - bah humbug!” GE’s application is a wiretapper’s dream application yet I’m compelled to join in and be amazed. *sigh* I guess I’ll just have to watch it again and pretend I don’t want to install it.

There has been a lot going on in the man in the middle space over the last few months. Frankly - I’m impressed. It’s something I haven’t talked much about publicly, but rather something I like to talk about to people at conferences. In fact, some of the innovations in the space is stuff I’ve been trying to get guys like Robert Graham and Dave Maynor to write into ferret for years now. That said, there has finally been some major leaps forward in actual technology to empower really nasty MITM attacks.

One thing I’ve been annoyed with is that although MITM is technically possible, and indeed has even been demonstrated in lab environments a lot, it’s really not all that common, unless you’re talking about passive listening. There’s not a lot of programs that use MITM to actually modify traffic. Modifying it is where you get a lot more bang for your buck. There’s a good paper over at Watchfire about why active man in the middle attacks can give you a lot more. In fact, some of what’s in this paper was actually demonstrate by Rich Mogull at DefCon last year. No one was probably paying any mind to the analyst but that guy is ahead of his time, let me tell you! He was creating iframes to things like the gmail contact list and addresses from yahoo. Cool stuff - and that was just an evil twin.

Also there are a few newish tools that are really important in this space. I think both need to evolve a bit, but they’re both open source, written in python, easy to modify and do 90% of the heavy lifting. So in my mind, active MITM attacks are finally really viable for the average attacker. The first tool is SSL strip written by Moxy. It does a great job of showing how you can just down-convert into an HTTP mode, and most of the time users won’t notice - especially on pages that just post to HTTPS (a huge pet peeve of mine).

The second tool is Middler written by Jay Beale. Jay took the concept to the next level and actually built in most of the DNS spoofing/ARP spoofing part of the attack that you need, so you don’t have to run separate programs to get the attack working. Both programs deserve a lot of praise for getting this attack to be more widely understood and realistic and beyond the passive sniffing that we are all accustomed to with tools like ferret and dsniff. Sure, the concept of a MITM attack is nowhere near new, but now it’s finally accessible to the average attacker - which means it’s something we should really start thinking about, beyond saying HTTPS is a solution to our problems - clearly it is not (and for a lot more reasons than Moxy went into too).