Steve Gibson’s Fingerprint service detects SSL man in the middle spying
Courtesy Michael Horowitz, ComputerWorld.com
We have all heard over and over again that secure web pages are safe. They are encrypted using SSL and HTTPS such that the contents of the pages are confidential. But, just because data is encrypted, that doesn’t mean that it can’t be spied on.
Needless to say, malicious software, typically on a Windows computer, can see passwords before they get encrypted by the web browser. A newer approach – infecting the web browser itself – is far worse. The browser sees everything coming and going, making it the perfect spy. Read a few articles about man in the browser attacks and you may never do online banking again (here’s one story and another).
But even without malicious software (yes iPad users, you should pay attention too), HTTPS encrypted web pages can be spied on, without breaking the encryption. Using a man-in-the-middle (MITM) attack, spies place themselves between the victim and the secure website.
The victim thinks they are talking to the secure website but they are actually talking to a spy computer/device that is intercepting their transmissions. Encrypted data leaves the victims computer but the intercepting spy machine gets to decrypt it just as the real website would have.
What does the intercepting spy computer do with the victims web pages and data? Whatever it wants to. For the attack to succeed, however, it will send the data, unchanged, to the target website. Most likely, everything coming and going gets logged for later review. That is the whole idea, after all.
Both sides of the secure SSL/HTTPS connection get lied to. The website thinks it is talking directly to the victim, but it is actually communicating with the intercepting spy machine pretending to be the victim. All the encryption in the world doesn’t help if you are not communicating with the entity you think you are.