Defense Against SSp attacks

SpookZanG

First, let's look back at the features of SSp attacks, as shown below:

1. This attack must be implemented in the LAN environment because the premise is ARP spoofing. In the WAN environment, ARP spoofing has no space to use;

2. The WEB transaction page jumps from an HTTP page to an HTTPS page, which is precisely a feature that attackers use to successfully launch attacks;

3. The above attack did not really break through the SSL encryption channel itself, but cleverly used the link jump;

The following describes SSp defense methods based on these features.

1. encrypted transmission of confidential information: the client communicates with the attacker in HTTP plaintext, causing the attacker to strip the plaintext account information from the packets submitted by the client. However, if the account information sent by the client itself is encrypted, it is not easy for attackers to intercept the password entered by the user. Therefore, if the transaction client can ensure that the password sent from the client to the HTTP/HTTPS channel is an encrypted ciphertext string, it can effectively defend against SSp attacks. For example, the fintech terminal protection system uses the dynamic key encryption technology to encrypt the account information entered by the user using the dynamic key and then transfer it to the HTTP/HTTPS channel. In addition to preventing attackers from intercepting the plaintext password, this effectively prevents attackers from intercepting ciphertext strings encrypted with a fixed key and reusing them. SSp attacks are very effective.

2. Defense Against ARP spoofing: As mentioned earlier, implementing ARP spoofing is a necessary condition for the success of SSp attacks. Therefore, if there are corresponding ARP spoofing defense measures in the LAN, it can also defend SSp well. Specifically, there are many free tools and many professional enterprise-level security software, such as the internal network security management system of luumeng technology, to defend against ARP spoofing.

3. URL check: when the client displays the page, check whether the related URL has been tampered with. If an exception is found, a security prompt is provided to remind the user of the security problem of the current link. We recommend that the user stop the transaction, alternatively, you can directly block the subsequent page display and terminate the transaction. During our research and testing, we found that some WEB transaction systems have used this method to prevent such attacks. However, attack and defense are always relative. If attackers are very targeted and want to intercept the account information of a specific WEB transaction system, they can completely filter out the relevant check Code while forwarding data packets in the middle, finally, the user completes the transaction in plaintext communication and successfully intercepts account information.

4. ev ssl: the SSL extended verification mechanism can help users easily understand whether the current website is a real securities trading website. SSL Extended Validation (ev ssl) Certificate, full name: Extended Validation SSL Certificate, it is a new Strict identity verification standard for SSL certificates jointly developed by world-leading digital certificate authority and mainstream browser developers, enabling a new generation of secure browsers (such as IE7) ev ssl can be identified and green is displayed in the address bar, so that ordinary consumers can confirm the website they are visiting. This is the real server that is strictly authenticated by authoritative third parties.

5. PKI Digital Certificate System: PKI digital certificates can be used to audit and authenticate the identity of Online Securities users when they log on to Alibaba Cloud and prevent Denial of Service in transactions. In terms of preventing SSLstrip attacks, PKI digital certificates are enhanced two-way authentication, which can effectively verify whether ongoing communications are encrypted links and whether the other party is a real securities trading server, in this way, you can take control measures when detecting exceptions to avoid password theft. On the other hand, after using digital certificates, the Identity Authentication of online securities is not just an account/login password, the attacker must hold the correct certificate to complete the attack. Therefore, the attacker must further obtain the user's digital certificate, which also increases the difficulty of the attack.

Other SSp attacks

Another SSp attack method is also a hot topic, but no relevant experiments have been conducted.

This SSp attack uses a proxy containing a valid SSL certificate on the LAN, so that the browser displays an "https" in the address bar ". Second, it uses homographic technology to create a long URL that contains a series of forged slashes. (To prevent the browser from converting these characters to Punycode, he must obtain a wildcard SSL digital certificate for * .ijjk.cn ).

The result is that SSL encrypted communication is performed between the client and the attacker, and between the attacker and the server. However, all the data is forwarded by the attacker, this means that all information is visible to attackers.

Repeat the harm of SSp attacks

Currently, SSp attacks are targeted at the password information of the transaction account. However, because all data sent by the client is forwarded by attackers, attackers can actually intercept all the information, contains transaction information, which can directly tamper with transaction information. However, the premise is that the attacker processes the data in a targeted manner and filters out all the sensitive information he wants.

Conclusion

After in-depth analysis of SSp attacks, we hope that every reader can establish the confidence that SSp attacks are not terrible, As long as appropriate defense measures are taken, SSp attacks can be rejected.