SSL Is Useless.

Publicated on : 1201985549
Once in a while I read articles and comments from people that claim SSL secures it all. How wrong can one be, SSL doesn't do anything to secure you. Others swear by 2 factor authentication, and the ones who understand: just laugh. Because it doesn't help a thing if you are vulnerable to XSS. What? XSS can defeat SSL? sure it can, that's why many are still so ignorant about XSS. A small XSS vulnerability can render all your SSL precautions useless. The reason is actually very obvious, but somehow many can't grasp the idea that security is a process. Besides other serious exploits, or just Javascript that is executed on a SSL enabled host, we can also force the browser to exit the SSL connection and return to a normal connection. So in combination with man in the middle attacks we can utilize Javascript to enable us a sniffable line. For the greater good, many online services allow us to switch from an SSL connection to a regular one, even if we are in the middle of authentication. So we can utilize this almost anywhere, from XSS holes to browser or desktop based malware that wants to sniff a connection.

You might think the big guys know this, but GMail was vulnerable to this exact same scheme. There isn't much rocket science involved, all we need to do is to execute this Javascript through an XSS vulnerability and we can make sure the line is sniffable again.