Moxie Marlinspike

Moxie Marlinspike
Citizenship	US
Fields	Computer Security
Institutions	Whisper Systems
Known for	Software architect Convergence (SSL) Whisper Systems

Moxie Marlinspike (aka Matthew Rosenfeld,^[1][2][3] aka Mike Benham^[4][5]) is the pseudonym of a computer security researcher. He was the chief technology officer and co-founder of Whisper Systems,^[6] which was acquired by Twitter for an undisclosed amount in late 2011.^[7] Marlinspike is also a member of the Institute For Disruptive Studies,^[8] runs a cloud-based WPA cracking service,^[9] manages the GoogleSharing targeted anonymity service,^[10] and is the author of the Convergence SSL authenticity system.^[11]

Notable research

• SSL stripping. In a 2009 paper, Marlinspike introduced the concept of SSL stripping, a man-in-the-middle attack in which a network attacker could prevent a web browser from upgrading to an SSL connection in a subtle way that would likely go unnoticed by a user. He also announced the release of a tool, sslstrip, which would automatically perform these types of man in the middle attacks. The HTTP Strict Transport Security specification was subsequently developed to combat these attacks, however deployment of HSTS has been slow, and SSL stripping attacks are still widely used today.^[12][13]

• SSL implementation attacks. Marlinspike has discovered a number of different vulnerabilities in popular SSL implementations. Notably, Marlinspike published a 2002 paper ^[14] on exploiting SSL/TLS implementations that did not correctly verify the X.509v3 BasicConstraints extension in public key certificate chains. This allowed anyone with a valid CA-signed certificate for any domain name to create what appeared to be valid CA-signed certificates for any other domain. The vulnerable SSL/TLS implementations included the Microsoft CryptoAPI, making Internet Explorer and all other Windows software that relied on SSL/TLS connections vulnerable to a man-in-the-middle attack. In 2011, the same vulnerability was discovered to have remained present in the SSL/TLS implementation on Apple Inc.'s iOS.^[15][16] Also notably, Marlinspike presented a 2009 paper,^[17] where he introduced the concept of a null-prefix attack on SSL certificates. He revealed that all major SSL implementations failed to properly verify the Common Name value of a certificate, such that they could be tricked into accepting forged certificates by embedding null characters into the CN field.^[18][19]

• Solutions to the CA problem. In 2011, Marlinspike presented a talk titled SSL And The Future Of Authenticity^[20] at the Defcon security conference in Las Vegas. He outlined many of the current problems with certificate authorities, and announced the release of a software project called Convergence to replace Certificate Authorities.^[21][22] In 2012, Marlinspike and Trevor Perrin submitted an Internet Draft for TACK,^[23] which is designed to provide SSL certificate pinning and help solve the CA problem, to the IETF.^[24]

• Cracking MS-CHAPv2. In 2012, Marlinspike and David Hulton presented research that makes it possible to reduce the security of MS-CHAPv2 handshakes to a single DES encryption. Hulton built hardware capable of cracking the remaining DES encryption in less than 24 hours, and the two made the hardware available for anyone to use as an internet service.^[25]

Detainment controversy

On November 17, 2010, it was reported that Marlinspike may have been placed on a United States federal watchlist that prohibited him from flying freely. He was reportedly detained for five hours, and all his electronics, including his laptop and cellphone, were reportedly seized.^[26] While flying domestically, he is reportedly unable to print his own boarding pass, is required to have airline ticketing agents make a phone call in order to issue one, and is subjected to selective screening at TSA security checkpoints.^[27]

References

1. http://eprint.iacr.org/2013/049.pdf
2. http://www.thoughtcrime.org/software/fakeroute/fakeroute-0.3.tar.gz
3. http://interviews.slashdot.org/story/11/12/19/179256/moxie-marlinspike-answers-your-questions
4. https://www.pcworld.com/article/103892/article.html
5. http://seclists.org/bugtraq/2002/Aug/111
6. CNet: WhisperCore App Encrypts All Data For Android
7. http://www.forbes.com/sites/andygreenberg/2011/11/28/twitter-acquires-moxie-marlinspikes-encryption-startup-whisper-systems/
8. NetworkWorld: With SSL, who can you really trust?
9. PC World: New Cloud-Based Service Steals Wi-fi Passwords
10. Forbes: A Better Way To Hide From Google
11. Convergence
12. Breaking Your Browser's Padlock
13. SSLStrip Hacking Tool Released
14. BasicConstraints Vulnerability
15. Apple iOS Bug Worse Than Advertised/
16. iPhone data interception tool released
17. More New Tricks For Defeating SSL In Practice
18. Vulnerabilities Allow Attackers To Impersonate Any Website
19. Wildcard certificate spoofs web authentication
20. SSL And The Future Of Authenticity
21. New SSL Alternative
22. Future of SSL in doubt?
23. Trust Assertions For Certificate Keys
24. SSL fix flags forged certificates
25. New Tool From Moxie Marlinspike Cracks Some Crypto Passwords
26. Another Hacker's Laptop, Cellphones Searched At Border
27. Security researcher: I keep getting detained by feds