More Tricks For Defeating SSL

Presented at DEF CON 17 (2009), July 31, 2009, 12:30 p.m. (50 minutes).

This talk aims to pick up where SSL stripping left off. While sslstrip ultimately remains quite deadly in practice, this talk will demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach. Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping. This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.


Presenters:

  • Moxie Marlinspike
    Moxie Marlinspike is from the Institute For Disruptive Studies, a radical think tank for hackers and co-conspirators who seek to operate outside of both the professional sphere as well as academia. For money, he is a licensed USCG Master Mariner, and delivers yachts worldwide.

Links:

Similar Presentations: