At the recent BlackHat Washington conference, a nice presentation was given about new man-in-the-middle techniques for SSL

The presentation starts with a good intro-primer on how SSL certificate validation works, continues with explaining how the old MITMs worked (including the trick with the intermediate CA which is used by most SSL inspection devices) and goes on with how it can be defeated now with stripping https or  providing real valid https connections with ‘just’ a valid wild card certificate and some homo-graphic tricks.

The impact of this is not alarming in my opinion as there were already mitm tricks which worked. Attackers tend to stick to simple things that work before moving on. This is just an addition to the arsenal of tricks to fool a user into thinking his connection is secured. However, this might even trick the more experienced computer users and not only your mom who does a little online banking.

The presentation is worth a read because it gives a nice background on SSL validation, makes you think about website security architecture and makes you a little more paranoid when surfing the web in a public place.

This just shows once more that the cornerstone of SSL is trust. If you can come up with a way to get your malicious stuff to look trustworthy, it’s game over.