The Vulnerabilities Of SSL certificates

2011-02-20

I would like to tip you about an interesting video where Moxie Marlinspike shows several of the vulnerabilities of SSL certificates, which among other things, are used on the web to create what is considered to be secure connections. He also shows how these vulnerabilities can be exploited to, for example, forge certificates. This was presented during DEFCON 2009. Here’s an excerpt that describes the presentation:

“This talk aims to pick up where SSL stripping left off. While sslstrip ultimately remains quite deadly in practice, this talk will demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach. Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping. This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.”- DEFCON (2009)