A security researcher has shown a way to defeat the security of web browsers’ padlocks (also known as SSL, which encrypts your on-line communications, for those who are interested). But in testimony to how the use of data encryption software can increase information security, the attack is a man-in-the-middle (MITM) attack, not an attack on encryption per se.
Man In The Middle Attacks
What is an MITM? Essentially, it’s when a hacker or would-be criminal gets in the middle between two parties.
For example, let’s say that Julius Cesar is sending a message to a general who will answer to no one but Cesar himself: he is utterly devoted to the emperor. The Vandals know that the message from Cesar reads “attack the enemy,” and would like the general on the field to, well, not to attack. In fact, the Vandals would prefer that the general surrender.
However, Cesar won’t give such orders, and the general will not surrender unless he receives such an order (such is his devotion). Bribing the general is out of the question, as you can tell by now. What to do?
Attack the guy who’s carrying the message. He’s the man in the middle. Bribe the messenger to deliver a different message.
Attacking Web Pages
The new attack revealed by the security researcher does something similar to the above.
When you go to gmail.com to check your e-mail, for example, you’ll notice that there is a little yellow padlock in the lower-right hand corner of your browser. You’ll also notice that the web address starts off with https, with the “s” signifying “secure.”
What this means is that the data between your home connection and gmail.com is encrypted, probably with 128-bit encryption. Because it’s so hard to crack this type of data security, hackers try to find ways to circumvent the data protection already in place.
In essence, what the security researcher did was put himself between you and gmail.com. He sets up his own fake gmail.com page, and makes it seem as if you’ve connected to the actual site. Once you type in your username and password, he transfers that information to the real gmail.com. Since he transfers, redirects, and controls the data back and forth, he’s the man. In the middle.
The beauty is that, because he controls the page in the middle, he could show that he’s providing an encrypted connection. An encrypted connection that he can decrypt.
However, he’s found that this is not necessary, since most people don’t bother to check for that padlock. He claims to have obtained login details, credit card numbers, PayPal logins, and other information that should be secure.
Breaking Encryption Is Not Easy
Encryption is notoriously difficult to break. That’s why most hackers focus their efforts on guessing passwords (hopefully simple ones) or using social engineering to obtain login credentials. This latest attack is a form of the latter.
The power of encryption is also why certain states, such as Nevada and Massachusetts, have made the use of file encryption a requirement in certain situations.
In fact, the state of Massachusetts will require any companies that store personally identifiable information–such as names and SSNs–on laptop computers to encrypt these, most probably via solutions like hard drive encryption from AlertBoot.