Man-in-the-middle attack can sidestep SSL easily

According to the security researchers told the attendees at the Black Hat Security Briefings, Man-in-the-middle attack is one of the major threat that can easily sidestep any SSL (Secure Socket Layer) enabled connections.  It doesnot mean the weakness of SSL encryption, but the combination of poorly educated users, fewer security warnings in browsers can allow Man-in-the-middle attack to easily sidestep SSL encryptions used to pass login credentials. Using a proxy server between the user and the internet can be used to intercept or forge any login request made. A program on the proxy server sends the request to the Web site, handles any redirect to an SSL-encrypted page and returns an exact duplicate to the user, without the encryption.

But the web address will be  http and not https. The researchers said that most of the internet users are not aware that their page is not encrpted. According to the test, the researchers calimed that they are able to intercept 114 Yahoo! credentials, 50 Gmail credentials and 16 credit-card numbers in 20 hours.

The presentation demonstrated a practical attack using a collection of already understood weaknesses. In the past, cross-site scripting has been used to inject content into supposedly secure sites.