On episode #217 of Security Now, there is a great discussion about a recently-publicized idea that the web browser is inherently broken and easily susceptible to man-in-the-middle attacks. A hacker that goes by the moniker Moxie Marlinspike recently released a paper and demonstration at Black Hat 2009 about how easy it is to fake an SSL certificate, and how easy it is to intercept a user’s traffic on a LAN, even when the user thinks he is visiting a secure site.
Since most web pages are not encrypted over an SSL/TLS connection by default (for example, going to www.paypal.com takes you to an unencrypted page), the traffic on that page is in the clear and can easily be monitored by anyone with the right tools sniffing the network traffic on your local area network (such as in a coffee shop or other public Wi-Fi hot spot). If you login to Paypal, it isn't until you click the login button that your credentials get passed to the server via an encrypted HTTPS connection. Since the web page is not initially encrypted, an attacker who has inserted himself can intercept the network traffic, strip out the HTTPS request (the secure SSL/TLS request), and replace it with an HTTP (unencrypted) request. The attacker now has the login credentials of the PayPal user and the attacker then seamlessly passes on the request to PayPal, and then passes it back to the user. The only clue the user has that he has been compromised is the fact that the page that gets returned is not encrypted (by looking for the https:// prefix in the address bar, or the “padlock” icon).
Most users just assume when they go to PayPal that the web site will handle security. However, Steve Gibson of Security Now proposes a fundamental change in the way web browsers work, requiring that all pages be encrypted HTTPS from the beginning, and not just when you click the login button, which everyone assumes will be encrypted. Watch an interview with Moxie Marlinspike.