Yes, it’s a vaguely IT-related post, just for a change.
I must admit, I was somewhat irritated by the very trivial issue of the misuse of the term zero-day vulnerability. If Zimperium has notified LinkedIn six times about the issue, I don’t think it can be described as a zero-day vulnerability, since it’s known to the provider. Unless the notifications have been disappearing into a black hole somewhere, but Zimperium’s blog indicates that LinkedIn acknowledged to them last year that the issue existed. And in fact, SSL-stripping has been a known attack for quite a few years. As far as I can see, it isn’t a vulnerability at all in terms of the SSL trust model: it’s an implementation issue.
HTTPS is essentially HTTP with a supervening layer of SSL/TLS. While Zimperium’s blog doesn’t describe a specific vulnerability, what it refers to as SSL-stripping involves intercepting transactions between the victim and the server and replacing https requests with http. If SSL is used throughout the site, though, it should fail with a ‘connection refused’ message unless the attacker is using other tools that directly attack the underlying trust model and the way certificates are checked. HSTS (HTTP Strict Transport Security) helps by telling the browser that only HTTPS connections are allowed, but the HSTS header can be stripped in some scenarios.
There are a couple of measures (as described by Zimperium) that the consumer can take right now: turn on HTTPS for all LinkedIn transactions in Account/Security Settings, and always log in to https://www.linkedin.com, not http://www.linkedin.com.
Of course, there may be other issues that Zimperium’s blog doesn’t mention, and I’m not familiar with their pen-test toolkit, so can’t comment on the details of their findings.
Small Blue-Green World