Moxie Marlinspike gave a presentation titled: "New Tricks for Defeating SSL in Practice"
at the Black Hat conference last week and released code that demonstrates practical, man in the middle based, attacks on browser security.
The results are a bit depressing, but not entirely new or unexpected. The attacks that he presented in the talk mostly skirt around SSL and while they appear to be effective they aren't really attacking SSL so much as the way we use SSL and how browsers present information.
The overall theme is that browsers have shifted away from gaudy, positive re-enforcement on secure sites towards negative feedback when something "bad" is detected. So as long as hackers don't trigger the "bad" flags users now tend not to notice. The talk also point out a deeper problem that is not easily addressed with simple browser changes - that is that most traffic starts out as http and then migrates to https, leaving a huge hole for man in the middle (MITM) attacks.
The talk boils down to the following:
0) There used to be an egregious bug in certificate verification that blew up everything (you could create certs for whatever you want). That's been fixed in most cases and so he moves on to other topics. Although he does imply that he has more tricks in this area that he isn't sharing with us.
1) For everything that follows you need to get into a position to do a MITM attack. He claims that this is really easy via ARP spoofing, etc. where you trick a client into thinking that you are the network gateway. To me this seems like a bigger problem than anything that follows, but I believe them when they say that it's hard to fix.
2) You exploit the fact that most secure sites either redirect from insecure (http) servers or blatantly start from an insecure page and post login over https from there. Since you are a MITM you just rewrite the pages to strip out the https.
Most of his talk is about #2, which I agree is serious, but basically obvious stuff stemming from being a MITM.
3) He discusses ways to make #2 appear more secure to the user by:
a) Putting up a fake lock icon on the page favicon.
b) Using international domain name lookalikes to put up your own https secured fake sites that front your MITM to the real back end. With this you get the real secure site indicators in the browser.
c) Using a nasty IDN lookalike for https:// that lets you shove the true domain name off the address bar. This gives you point b above but with no visible indication at all.
Point a is "meh", not too exciting.
Point b seems to have been taken care of to some extent in Firefox by not displaying international character sets for some domains like .com.
Point c looks *really* nasty but seems to have obvious fixes in the browser. i.e. stop displaying things that look like http(s):// as part of a subdomain. Maybe I'm naive, but the URL spoofing attacks seem like something we can fix in the browser given a little more thought.
People asked many questions at the end: About half just missed the point that you're a MITM and can rewrite anything the site puts in the page. The other half wanted new kinds of authentication mechanisms supported either by DNS or the sites. The speaker points out that as long as not all sites implement the new features client browsers can't rely on them and can't even "test" for them properly because of DOS attacks.
The speaker notes at the end that it appears that the only solution is https-only sites with a browser side registry of secure sites. Any traffic starting out as http:// is subject to MITM.