Man-in-the-Middle Attacks more wide spread
Hacker groups have confirmed that man-in-the-middle attacks can be used to render SSL security null and void whenever an end user transacts over the Internet. The inventor of SSL begs to differ with that conclusion, explaining that browser problems are responsible for the hacking method's effectiveness. Furthermore, he claims that the effects of man-in-the-middle attacks over the reportedly vulnerable SSL cannot be oversimplified that way.
Doctor Taher Elgamal went to Australia for the AusCERT 2009 Asia Pacific Information Security Conference in order to deliver a keynote speech where he explains that there's more to man-in-the-middle attack than meets the eye, elaborating that the method to their supposed madness cannot be simplified as black or white.
Dr. Elgamal was the man that invented the Secure Socket Layer or SSL when he worked for Netscape Communications during the time when the company's premier browser was still a legitimate competitor against Internet Explorer.
MITM Attacks more popular than ever for SSL attacks
Man-in-the-middle attacks, otherwise known as MiiM, are labeled as such because they insert a proxy in between a web server and a browser. The web browser first asks for a certificate and the proxy will intercept the answer to that request and deliver its own trustworthy intermediate certificate in its place.
Dr. Elgamal insists that MiiM's ability to render SSL moot isn't an SSL protocol vulnerability or flaw. It's instead a security hole that's symptomatic with problems of the browser trust model. The fault happens because the browser is able to trust—that is, accept that a site is secure to browse through via a security certificate—a lot of different things.
More to the point, the debate about the security of the browser trust model, the doctor says, has been ongoing for a decade and a half. The problem with the browser trust model is that it has to serve two masters. On one hand, a tighter trust model is needed from a security standpoint. On the other hand, a more flexible solution is preferred in a business standpoint.
Customers don't want to become too restricted or regulated by draconian rules, yet they also want to be securely protected from hacker attacks and the like while surfing the Internet. The model is stuck between a rock and a hard place, and it must compromise its effectiveness in order to strike a balance between the two standpoints.
Nevertheless, Elgamal argues that MiiM isn't all evil. Like most anything involved with technology, it can be used for both the benefit and detriment of the end user. For instance, MiiM can be used by corporations to ensure that there is no leakage of data via encrypted channels.