Websites vulnerable for HTTPS MITM attacks

Theory

SSL or Secure Socket Layer is a protocol designed for secure communication over the internet. SSL creates a secure and encrypted tunnel between two parties. For example the client(laptop) and server(web application). SSL can be used in the HTTPS protocol for secure communications for online banking or other important online services.

The creator of sslstrip shows in 2009 how it is possible to attack SSL using a Man In The Middle Attack. SSL itself is secure and the encryption cannot be cracked if the SSL session is established. However it is possible to intercept the SSL traffic with a Man In The Middle Attack using Linux, Python, iptables and arpspoof. Normally the ssl session creates a secure tunnel between the client and server:

ssl_normal

With a Man In The Middle Attack. The attacker sits between the client and server to intercept the traffic:

ssl_mitm

At this moment, 4 years later, you may aspect that the top 100 websites are protected against this attacks. So I tried this week a few websites. Some websites are indeed protected. However there are still many websites vulnerable. On the server side you can enforce the HTTPS protocol. So even if you attack the network. The website don’t work and you cannot fill in your credentials. In this case the attacker can’t sniff your credentials. However this cost money and resources.

Vulnerable websites 16-01-2014

Organisation Website URL Website vulnerable
ASN Bank asnbank.nl YES
DigiD digid.nl YES
ING Bank mijn.ing.nl NO
SNS Bank snsbank.nl YES
Twitter twitter.com NO
Rabobank bankieren.robobank.nl YES
Fox-IT fox-it.com NO
ABN AMRO abnamro.nl NO
Friesland Bank internetbankieren.frieslandbank.nl NO
My Aegon online.aegon.nl NO
Facebook facebook.com YES
Instagram instagram.com YES
Tweakers secure.tweakers.net YES
Amazon amazon.com YES
Wikipedia wikipedia.org YES
Linkedin linkedin.com YES
Blogspot blogspot.com NO
WordPress wordpress.com YES
Bing / Microsoft bing.com YES
Ebay ebay.com YES
MSN / Microsoft msn.com YES
Tumblr tumblr.com YES
Craigslist craigslist.org NO
Imgur imgur.com YES
Reddit reddit.com YES
Netflix netflix.com YES
Pirateproxy pirateproxy.net YES
Vimeo vimeo.com YES
Dropbox dropbox.com NO
Badoo badoo.com YES
Deviantart deviantart.com YES
4shared 4shared.com YES
Walmart walmart.com YES
Sourceforge sourceforge.net YES
Ikea ikea.com/nl/nl/ YES
Domaintools domaintools.com YES
Steam steampowered.com YES
Scribd scribd.com YES
Bol bol.com YES
My Vodafone my.vodafone.nl YES

Websites tested via:

Launch a Man In The Middle Attack on local test network.
Navigates to http://www.google.nl and typed the name of the organisation.
Via the company website I tested the login or homepage if the website is vulnerable.
It is also possible to manually type the company website link via the address bar with only the HTTP protocol. If the website is vulnerable it goes not automatically to the HTTPS protocol because they don’t enforce HTTPS. Or make the login page invisible if the HTTP protocol is used, so the user can’t login.

Practice

Let’s say we are driving around with a laptop (Backtrack 5 operating system and WIFI-antenna), searching for insecure, or even worse, wrong configured WIFI access points or Routers (WEP encryption or bad passwords). If we find a access point with WEP encryption. Within 5 minutes or less, we have cracked the WIFI password, can connect to the network and launch a Man In The Middle Attack on the network. Within minutes all the internet traffic from the network will be routed to our laptop. If the user connect to a website which is vulnerable for a Man In The Middle Attack we can reveal their username and password.

ssl_log1

How to protect?

In order to mitigate a Man In The Middle attack you can use a browser add-on to enforce the HTTPS protocol. Or type the HTTPS link manually. Use bookmarks with HTTPS links. Security awareness to make sure you connected to a website with the HTTPS protocol. Click on the lock icon or world globe in the address bar to ensure the connection is secured and encrypted or not.
Look at the picture. Left side is NOT encrypted. On the right side the connection is secure and encrypted!

HTTPS_or_HTTP

Geef als eerste een reactie

Geef een reactie

Uw e-mailadres wordt niet gepubliceerd.


*