With the recent release of the SSLSniff tool, other various privacy issues, and the need for security culture amongst activists, running our activist websites in a secure manner is increasingly important.  One of the ways that you can dramatically and easily increase the security and privacy of your server is to enable Secure Sockets Layer (SSL) for all of your clients, all of the time. 

The problem with only enabling SSL some of the time is twofold.  The first benefit is that your readers and end-users may not want everyone else on the net to know what they are reading, even if it is not traditionally sensetive material (i.e. passwords, etc.)   Some users of hackbloc may not want the other people on their lan to know anything about what they are reading (other than where it comes from of course).  This technique however will not prevent attacks like SSLSniff from working.

Hackbloc already uses this technique, if you look above you will see that you are at an https website!  So how do we enable this technique?  Simple, just copy and paste the following code into your .htaccess file:

RewriteCond %{HTTP_HOST} ^hackbloc\.org$ [NC]
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://hackbloc.org/$1 [L,R=301]

Of course, you will need to make sure that you have mod_rewrite enabled on your server.  But that is all you need!  There is one downside to this, if you do not have a certificate from a major cert company, your firefox using visitors will receive this lovely error screen.  Unfortunately there is no way around this other than getting a certificate from a major authority, or pestering the mozilla foundation into adding cacert.com to their root certificates.  So get to it!

Moxie of  Thoughtcrime.org has release a tool is able to recreate SSL pages with none of the security

First, arpspoof convinces a host that our MAC address is the router's MAC address, and the target begins to send us all its network traffic.  The kernel forwards everything along except for traffic destined to port 443, which it redirects to $listenPort (10000, for example).

At this point, sslsniff receives the client connection, makes a connection to the real SSL site, and looks at the information in the server's certificate.  sslsniff then generates a new certificate with an identical Distinguished Name and signs it with the end-entity certificate in $certificateFile.  sslsniff uses the generated certificate chain to do a SSL handshake with the client and proxy data between both hosts (while logging it, of course).

According to Forbes, Marlinspike was able to "grab passwords to 117 e-mail accounts, 16 credit cards numbers, seven Paypal logins and about 300 other logins to supposedly secure sites ranging from Gmail to Ticketmaster to Facebook." We congradulate moxie is his finding and want to throw out to him and anyone else who has a cool project to please submit it to the next hackthiszine.

Corporate Article Here: Forbes.com

Download the software here: SSLsinff