Friday, October 24, 2008

SSL Man in the Middle Attack: What's it look like?

Security experts tell us tell us that sending credit card numbers across the internet is safe; it's more likely that an employee on the other end could take it or your wallet is stolen than the NSA breaking the encryption that protects your personal information.

So your information is safe from eavesdropping, but what about a man in the middle attack, an attack where someone pretends to be, say, Amazon.com?

Your browser lets you know. Instead of seeing a page you're accustomed to, you'll see a big warning about an SSL certificate being bad.

Developing s3mp, I use a tool called Paros that lets me look at encrypted web traffic by doing just that attack. Whenever I debug, I get a warning, making sure I know that someone between me and Amazon is looking at what I'm doing.

Here's what Firefox 3, Chrome, and Internet Explorer 7 display so that if you encounter the message you know what's going on.

Firefox stops you in your tacks with a popup (UI designers call this a "modal window"). On one hand, it gets your attention, but on the other, it stops you from even closing another webpage as your boss is about to look over. The icon isn't particularly informative and the text is loaded with technobabble.

Chrome lets you know the connection isn't secure with huge type and a red border (though for people with color blindness (protanopia or deuteranopia), the red border is more of a brown). To the designers' credit, it says "an attacker may be trying to intercept your communications" and "you should not proceed."

Internet Explorer shows a page that looks much like the normal error page, but with a red security shield. Like Chrome, it has a human-readable description of what happened, stating that this "might be an attempt to fool you or intercept any data you send to the server." It recommends not proceeding, and unlike Chrome, I always find myself hitting the button that doesn't load the page.

Overall, I like Chrome's warning the most, IE's second, and hate Firefox's. Firefox just doesn't explain what happened very well, the modal dialog is obnoxious, there isn't a "run away" button, and ignoring it is a pain. IE came in a close second, but I really like Chrome's red border.

No comments: