Nuttin But Exchange

So here is a guy (Maxie Marlinspike) who gave a talk on how he can get around SSL based encryption. It isn't so much of a hack or security breach than a social engineering trick fooling users into thinking they are using a secure site for say their bank or company email, etc… and with a man in the middle attack, he grabbed over 300 login credentials in 24 hours. A key comment he makes is that many users are not required to type the URL as https:// so they don't pay much attention to the site they get directed to or the certificate used if they do get directed to a site that they think is secure because they see a lock somewhere on the page. He also points out poor web pages that you initially reach via http:// and you trust that when you click the login button (that presents no URL when hovering over it), that it will take you to a HTTPS:// page.

Makes me wonder if we are doing users justice when we publish websites for OWA, SharePoint, etc… to just use redirection for the secured part of the site. We normally do this so users won't have to type in the "s" in the URL string. Maybe that isn't such a good practice.

Source: http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=214501930&cid=nl_IWK_daily_H

The original slide deck of the presentation can be found at: https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf