News Hacker creates SSLstrip package

http://www.bit-tech.net/news/bits/2009/02/20/hacker-creates-sslstrip-package/1

A hacker at the Black Hat conference has demonstrated a tool dubbed SSLstrip, which is capable of fooling browsers into giving up SSL encrypted data.

 

Those attacks were tested some time before, very effective indeed. The main problem is that since the beginning ISPs should have invested in full-scale encryption systems. They didn't, because it was "too expensive". Well, now we pay for that.

 

We can only wait for the first class action filed in the US against [enter ISP name here] and within just 2-5 years ISPs will sort their hardware problems out...

 

that is indeed a very interesting toy.......

 

Well, not really. Governments don't like encryption at all - in England even using Putty is illegal. (I know, this is so dumb... it's even hard to phrase how dumb it is, actually)

 

Putty is illegal? Great! That reminds me of the German government trying to pass a law making the use of vulnerability scanners illegal. And how exactly would companies be able to find vulnerabilities after that? Testing for them manually? Great idea.

 

I excreted bricks. That is a very, very worrying discovery. Proof positive, thuough, that Black Hat is actually a useful convention - imagine if the first person to discover this had been a genuine crook?

 

so from what Im understanding, since this is a man in the middle attack, this would only possible with public WIFI hotspots right?

 

They'd better fix this soon.

 

To be honest the real let down is that you have to pay so much money for a SSL license. Can hook up one domain or IP address. For a web server hosting multiple sites this is a terrible construction.