I watched this video: http://www.securitytube.net/video/193 Now I'm thinking about an example.
Suppose I have a privoxy proxy on my PC:
user.action file (just part of it):
{ +redirect{s@http://@https://@} }
.foo.org
then I visit http://foo.org and get redirected to https://foo.org.
The big question: Am I protected against sslstrip?
What will happen? Will the page fail to load? Will using this kind of redirection keep my browsing safe?
Thank you!
Asked
Active
Viewed 2,475 times
4
Ellie Kesselman
- 488
- 4
- 20
LanceBaynes
- 6,149
- 11
- 60
- 91
3 Answers
3
This won't work very well. If you try it, you'll probably find that you are unable to browse most sites, because most sites don't offer their site through SSL (https:).
The right way to defend yourself: install the HTTPS Everywhere extension for Firefox. Any time you visit a web site that is known to support https, HTTPS Everywhere will automatically redirect your browser to use the https version. It's great! I use it and highly recommend it.
Important caveat: You will still be vulnerable to sslstrip / Firesheep style attacks when browsing sites that don't support https. There's not much you can do about that, except ask those sites to support https, or avoid using unencrypted wireless networks. (Or, buy a secure encrypted VPN service to route all your communications through: but that is inconvenient and expensive.)
D.W.
- 98,420
- 30
- 267
- 572
-
i'm only asking sites that has been whitelisten in a redirect rule, so only the sites that support https. so if a site supports https+i write a redirect rule, then i'm fully protected? – LanceBaynes Mar 21 '11 at 09:25
-
i think using a redirect rule with privoxy will save me from an ssltrip attack, because the page just wont load on http, because the redirection, but i need a fixme for this, that's why i asked! :P – LanceBaynes Mar 22 '11 at 12:53
-
-1 HTTPS Everywhere has the **exact same problem** as using privoxy, it is no more or less safe. Either way a DigiNotar style compromise will not help. – rook Sep 12 '11 at 20:45
-
1@Rook, the reason for using HTTPS Everywhere instead of privoxy is not that HTTPS Everywhere is safer. The reason is that HTTPS Everywhere actually, you know, works and doesn't break your web browsing experience. If you use privoxy, then as I explain in the first paragraph of my answer, it won't work very well, because many sites don't offer their site through https. HTTPS Everywhere has put considerable effort into devising a list of sites that do offer their site through https, so it's about as good a whitelist as you're going to get. – D.W. Sep 13 '11 at 06:52
3
Yes, this Privoxy rule set will prevent just a plain SSLStrip attack. But it can't prevent against all attacks. Recently a certificate authority by the name of DigiNotar was compromised. DigiNotar knew they have been comprised but failed to notify the public leading to Mozilla removing them as a trusted CA. This hacker has claimed to compromised 4 other CAs. These forged certificates have been used in iran to MITM Gmail and Facebook.
The author of SSLStrip, Moxie Marlenspike, was able to use it in conjunction with other attacks, such as null byte poisoning, to produce forged certificates. This attack was covered in More Tricks For Defeating SSL.
In both of these cases HTTPS Everywhere and Privoxy fall to the same problems. The certificate appears to be absolutely valid from the browser's perspective.
In 2011, Moxie Marlenspike gave the talk The Future of Authenticity. In this talk he details why Convergence can solve these problems. If you are in Iran or China and you are worried about your state sponsored ISP performing MITM attacks on you with forged certificates then you can use Convergence to detect this attack. However, in order to access the website safely you have to use The Tor Project.
2
The other 2 answers are excellent, but I thought I would throw this log onto the fire, too:
If you are at work (or anywhere where you are using a computer that isn't 100% under your control), then you shouldn't assume any safety at all, even when using SSL.
I know many large organizations that distribute their own root certificates and have an SSL intercept device on their network. These devices can MITM your SSL traffic by generating a fake certificate on the fly and signing it with their own root. These organizations install the root cert on all of their equipment, so if you are using a company laptop, for example, it already trusts this root.
If you are particularly cynical, you may believe that large CAs and government-sponsored CAs (such as China's information ministry) are offering fake certificates to law enforcement, intelligence, and/or military for exactly this purpose.
The only way to avoid this type of SSL sniffing is to be picky about which CAs you trust (I have removed many CAs on my personal laptop) and to use a certificate tracking plugin such as Certificate Patrol. Certificate Patrol will keep track of certificates you've seen in the past (a kind of first trust policy) and will notify you if a certificate unexpectedly changes.
Mark E. Haase
- 1,902
- 2
- 15
- 24
-
3I want to clarify when you are at risk from the kind of attack mentioned here. You are at risk if you are using a work machine, or a machine that has work software on it, or if you click through SSL warning messages. These SSL intercept devices all require the client-side machine to be configured specially to add their root cert to the cert store. If your client machine hasn't been configured that way, you'll get SSL warning messages -- because the SSL intercept devices all involve running a MITM attack, which is exactly what SSL is designed to detect. – D.W. Sep 12 '11 at 01:11
-
the Zorp Proxy can do this - generate own cert/replace with the original one. – LanceBaynes Sep 14 '11 at 07:40