E-commerce sites still at risk from man in the middle attacks

No matter what type of authentication, from basic to the highly encrypted, or whether organisations use password-based or two-factor authentication, their...

No matter what type of authentication, from basic to the highly encrypted, or whether organisations use password-based or two-factor authentication, their websites are vulnerable, writes Ben Chai, chief editor of SecurityVibes

Computer Weekly highlighted a serious flaw in the way e-commerce sites implement secure internet access though HTTPS, identified by UK penetration testing company First Base Technologies in April.

The problem has been reported in places such as the Open Web Application Security Project top ten security guide since about 2007.

What is of concern is that two years on, many companies are still unaware of the issue and need to ensure their session cookies are secure. Despite timely warnings from companies such as First Base Technologies, organisations still haven't got it right.

To make matters worse, members of SecurityVibes, a networking site for information security professionals, have reported a potentially more dangerous SSL attack vector using Moxie Marlinspike's attack: sslstrip. Details were presented by Moxie in February 2009 at the BlackHat conference in DC.

This attack can again be mitigated but needs security professionals to be aware of obscure fields in certificates in order to block it.

The lesson learned here is not to assume something is secure just because encryption or SSL is involved. As security professionals, it is impossible for us to keep up to date with every area of security, and it gets worse the higher up the security ladder you go.

For example, chief information security officers need to have skills in management and board-level abilities and still have an idea that attacks exist that could compromise the corporation's e-commerce and SSL VPN sessions.

Peter Woods' complete write up of the SSL attack can be found at the SecurityVibes website.

And a step by step pdf file on how to compromise SSL using Moxie Marlinspike's attack: sslstrip can be found here.



Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.




  • Passive Python Network Mapping

    In this excerpt from chapter two of Passive Python Network Mapping, author Chet Hosmer discusses securing your devices against ...

  • Protecting Patient Information

    In this excerpt from chapter two of Protecting Patient Information, author Paul Cerrato discusses the consequences of data ...

  • Mobile Security and Privacy

    In this excerpt from chapter 11 of Mobile Security and Privacy, authors Raymond Choo and Man Ho Au discuss privacy and anonymity ...