Not a week goes by without some new problem surfacing in day to day communication security. The newest stems from a black hat talk by Moxie Marlinspike of thoughtcrime.org. This attack is not sky-is-falling immediate action required bad, but is instead of the depressingly presentable variety. Moxie’s new attack is actually quite elegant and has a retro vibe to it in exploiting the most vulnerable link in any security chain: the user.

His setup for the attack examines website deisng as it relates to SSL security. He observes users do not type HTTPS, but rather encounter it from HTTP such as login boxes which post to HTTPS urls. Seperating the feedback mechanisms into positive and negative, he also notes triggering the positive mechanisms (little locks, changing colored address bars, etc) is not so bad while triggering negative mechanisms (invalid security certificate, problem encountered with the website’s certificate etc) are game killers.