This is intended to be educational for those that think SSL-MITM isn't possible so don't shoot the messenger as this is an educational and informative post. I'm not trying to show anyone how to launch a MITM attack, or give away all the steps required to sniff SSL. Besides, there's no need to do this because all of this information is freely available all over the internet with a simple query. From the WordPress thread mentioned above:
The topic of SSL security on an unsecured wifi connection was brought up on on the thread about How to Secure Wordpress Sites [webmasterworld.com] and it seemed there was enough FUD swirling around this topic to start a new thread.
This is intended to be educational for those that think SSL-MITM isn't possible so don't shoot the messenger as this is an educational and informative post. I'm not trying to show anyone how to launch a MITM attack, or give away all the steps required to sniff SSL. Besides, there's no need to do this because all of this information is freely available all over the internet with a simple query.
From the WordPress thread mentioned above:
If you can establish yourself as the MITM (Man in the Middle) you only need to dnsspoof the destination and issue a fake SSL cert as a response to the victim and then you can use SSLDUMP to decrypt the SSL stream.
Wow, that was hard wasn't it?
As a matter of fact, there's even a program available called WEBMITM (web man-in-the-middle) to help facilitate this:
The method I saw used way back in the day was a simple intermediate SSL proxy server which is similar in concept to what I described above.
Let's do a simple diagram of how that works:
Browser using SSL -> SSL proxy -> SSL destination (Bank, Paypal, etc.)
Your browser is happy and shows a LOCK because it's in a secure SSL conversation with the SSL proxy. The SSL proxy server then makes the secure connection to the destination server and passes the content and cookies back and forth between your browser and the true destination.
All conversations are in SSL, everyone's happy, and all the data is collected in the middle.
The big challenge is getting in the middle.
If you can get in the middle, all bets are off.
Forget just collecting web passwords as there's SSHMITM to handle SSH protocols.
Not to mention password recovery tools like Cain & Able can pretty much sniff out anything.
Many of the tools mentioned above are actually bundled into a network auditing and penetration testing package called "dsniff" which you can use to identify leaks in your network security. Unfortunately the knife cuts both ways and the same tools can be used to breach network security.
So how safe is your wifi connection?
It's probably OK because the number of reported incidents is very low.
Some suggest using the TOR anonymizer [torproject.org] will thwart simple MITM attacks because it scatters the request over many TCP connections. TOR is cheap (FREE!), easy to install, and probably not a bad idea to try if you use a lot of public wifi connections. I've yet to investigate the effectiveness of this solution but it's definitely better than using nothing at all.
What do I use?
I use a broadband card and disable wifi when I'm traveling.
[edited by: incrediBILL at 9:11 pm (utc) on July 30, 2008]