A recent presentation at the Blackhat conference shows that user's will easily fall into SSL man-in-the-middle attacks, thereby disclosing all sorts of private information.
A presenter who goes by the name of Moxie Marlinspike demonstrated how the attack works. In summary, the technique involves the usual interception of traffic so that the attacker can get in between the user and their destination. With that done, a valid SSL certificate is used but for an international domain name.
Then spoofing is used with hostnames and domain names along with character codes that can mimic the visual appearance of standard ASCII characters. This aspect is basically a visual trick that most users apparently don't pick up on.
An example, taken from Moxie's presentation slides, might look like this:
https://www.gmail.com/accounts/ServiceLogin?!f.ijjk.cn
Moxie wrote that "The \[URL\] does not display as punycode in the status bar or the URL bar. When resolved, it becomes www.google.xn--comaccountsservicelogin-5j9pia.f.ijjk.cn"
So overall the browser shows that it has an SSL connection and the associated certificate is valid. But the user is actually visiting a spoofed site.
Moxie said the a test environment was established in a public Wifi hotspot where he was able to collect the login details of 114 Yahoo users, 50 Gmail users, 42 Ticketmaster users, 9 PayPal users - and much more.
The tool used to prove this scenario is called SSLstrip and will reportedly be released at Moxie's Web site, although it doesn't seem to be available yet. Meanwhile you can view the powerpoint presentation now and also see an interview with Moxie at YouTube.
