From the 'be careful who you certify' files:

LAS VEGAS. Earlier this year security researcher Moxie Marlinspike turned the world of SSL security on its head with a presentation at Black Hat DC. Here in Vegas, he's expanding his tool SSLstrip with a series of improvement that will make the tool even more powerful.

"On the web SSL is not usually encountered directly," Marlinspike said. "It's usually a redirect where someone types in bankofamerica.com (or any other site) and then they get forwarded to an SSL page."

What the original SSLstip tool did was to take advantage of that fact to trick browser into thinking an HTTP connection was actually an SSL connection. Marlinspike noted that its an automated process to get a regular SSL certificate. The way the process works by first getting a whois lookup to admin contact.

"They only look for the root of the domain.the don't give a shit about subdomains," Marlinspike said.

As such a person could get a certificate for a null domain like *0\.attackersite.bankname.com that would validate. He commented that such a wildcard gives SSLstrip great power, providing what looks like a real certificate. To make matters worse he's now also built in a technique to prevent the wildcard certificate from being revoked by the certificate authority as well.

"In short, we've got your passwords, your communications and control over the software that runs on your computer," Marlinspike said.

There is however a solution. In response to a question from the audience Marlinspike noted that all the SSL vendors would have to do is validate the whole domain, not just the last bit of it.

Picture: Moxie Marlinspike Credit: Sean M Kerner