Moxie Marlinspike

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Moxie Marlinspike
Moxie Marlinspike.jpg
Moxie Marlinspike
Other names Matthew Rosenfeld,[1][2]
Mike Benham[3][4]
Citizenship US
Fields Computer security,
Software architecture
Known for Open Whisper Systems,
Whisper Systems,
Convergence (SSL),
Axolotl (protocol)

Moxie Marlinspike is the pseudonym of a computer security researcher. His research has focused primarily on techniques for intercepting communication, as well as methods for strengthening communication infrastructure against interception. He is a member of the Institute for Disruptive Studies,[5] former head of the security team at Twitter,[6] founder of Open Whisper Systems,[7] and a fellow at the Shuttleworth Foundation.[8] He runs a cloud-based WPA cracking service,[9] manages the GoogleSharing targeted anonymity service,[10] and is the author of the Convergence SSL authentication system.[11]


Marlinspike moved to San Francisco in the late 1990s and worked for several technology companies, including enterprise infrastructure software maker BEA Systems Inc, before the dot-com collapse.[12] During the mid-2000s, Marlinspike and three friends refurbished a derelict sailboat and sailed around the Bahamas.[12]

In 2010, Marlinspike was the chief technology officer and co-founder of Whisper Systems,[13] an enterprise mobile security startup company. In May 2010, Whisper Systems launched TextSecure and RedPhone. These were applications that provided end-to-end encrypted SMS messaging and voice calling, respectively. The company was acquired by the social-media firm Twitter for an undisclosed amount in late 2011.[14] The acquisition was done "primarily so that Mr. Marlinspike could help the then-startup improve its security".[12] During his time as head of cybersecurity at Twitter,[15] the firm made Whisper Systems' apps open-source.[16][17] Marlinspike left Twitter in early 2013[18] and founded Open Whisper Systems[19] as a collaborative Open Source project for the continued development of TextSecure and RedPhone.[20] In November 2015, Open Whisper Systems unified the TextSecure and RedPhone applications as Signal.[21]

Notable research[edit]

SSL stripping[edit]

In a 2009 paper, Marlinspike introduced the concept of SSL stripping, a man-in-the-middle attack in which a network attacker could prevent a web browser from upgrading to an SSL connection in a subtle way that would likely go unnoticed by a user. He also announced the release of a tool, sslstrip,[22] which would automatically perform these types of man-in-the-middle attacks. The HTTP Strict Transport Security (HSTS) specification was subsequently developed to combat these attacks. However, deployment of HSTS has been slow, and SSL stripping attacks are still widely used today.[23][24][not in citation given]

SSL implementation attacks[edit]

Marlinspike has discovered a number of different vulnerabilities in popular SSL implementations. Notably, Marlinspike published a 2002 paper[25] on exploiting SSL/TLS implementations that did not correctly verify the X.509 v3 "BasicConstraints" extension in public key certificate chains. This allowed anyone with a valid CA-signed certificate for any domain name to create what appeared to be valid CA-signed certificates for any other domain. The vulnerable SSL/TLS implementations included the Microsoft CryptoAPI, making Internet Explorer and all other Windows software that relied on SSL/TLS connections vulnerable to a man-in-the-middle attack. In 2011, the same vulnerability was discovered to have remained present in the SSL/TLS implementation on Apple Inc.'s iOS.[26][27] Also notably, Marlinspike presented a 2009 paper,[28] where he introduced the concept of a null-prefix attack on SSL certificates. He revealed that all major SSL implementations failed to properly verify the Common Name value of a certificate, such that they could be tricked into accepting forged certificates by embedding null characters into the CN field.[29][30]

Solutions to the CA problem[edit]

In 2011, Marlinspike presented a talk titled SSL And The Future Of Authenticity[31] at the Black Hat security conference in Las Vegas. He outlined many of the current problems with certificate authorities, and announced the release of a software project called Convergence to replace Certificate Authorities.[32][33] In 2012, Marlinspike and Trevor Perrin submitted an Internet Draft for TACK,[34] which is designed to provide SSL certificate pinning and help solve the CA problem, to the IETF.[35]

Cracking MS-CHAPv2[edit]

In 2012, Marlinspike and David Hulton presented research that makes it possible to reduce the security of MS-CHAPv2 handshakes to a single DES encryption. Hulton built hardware capable of cracking the remaining DES encryption in less than 24 hours, and the two made the hardware available for anyone to use as an Internet service.[36]


Secondary Security Screening Selection (SSSS)[edit]

Marlinspike says that when flying within the USA he is unable to print his own boarding pass, is required to have airline ticketing agents make a phone call in order to issue one, and is subjected to secondary screening at TSA security checkpoints.[37]


While entering the United States via a flight from the Dominican Republic in 2010, Marlinspike was detained for five hours; federal agents requested his passwords, and all his electronic devices were confiscated and then returned.[38]

Speaking engagements[edit]

  • DEF CON 17: "More Tricks for Defeating SSL"[39]
  • DEF CON 18 and Black Hat 2010: "Changing Threats to Privacy"[40]
  • DEF CON 19 and Black Hat 2011: "SSL and the Future of Authenticity"[41]
  • DEF CON 20: "Defeating PPTP VPNs and WPA2 with MS-CHAPv2"[42]
  • Webstock '15: "Making private communication simple"[43]


  1. ^ Meyer, Christopher; Schwenk, Jörg (31 Jan 2013). "Lessons Learned From Previous SSL/TLS Attacks". Cryptology. Retrieved 2014-10-19. 
  2. ^ "Moxie Marlinspike Answers Your Questions - Slashdot". 2011-12-19. Retrieved 2013-10-04. 
  3. ^ "Severe Security Flaw Found in IE". PCWorld. 2002-08-13. Retrieved 2013-10-17. 
  4. ^ "Bugtraq: IE SSL Vulnerability". 2002-08-05. Retrieved 2013-10-04. 
  5. ^ "With SSL, who can you really trust?". NetworkWorld. 2011-08-18. Retrieved 2013-12-09. 
  6. ^ Alex Hern (17 October 2014). "Twitter's former security head condemns Whisper's privacy flaws". The Guardian. Retrieved 22 January 2015. 
  7. ^ Franceschi-Bicchierai, Lorenzo (18 November 2014). "WhatsApp messages now have Snowden-approved encryption on Android". Mashable. Retrieved 23 January 2015. 
  8. ^ "Moxie Marlinspike". Shuttleworth Foundation. Retrieved 22 January 2015. 
  9. ^ "New Cloud-Based Service Steals Wi-fi Passwords". PC World. Retrieved 2013-12-09. 
  10. ^ "A Better Way To Hide From Google". Forbes. 2013-11-25. Archived from the original on 12 October 2013. Retrieved 2013-12-09. 
  11. ^ "Convergence". Retrieved 2013-12-09. 
  12. ^ a b c Yadron, Danny (9 July 2015). "Moxie Marlinspike: The Coder Who Encrypted Your Texts". The Wall Street Journal. Retrieved 10 July 2015. 
  13. ^ Mills, Elinor (2011-03-15). "CNet: WhisperCore App Encrypts All Data For Android". Retrieved 2013-12-09. 
  14. ^ "Twitter Acquires Moxie Marlinspike's Encryption Startup Whisper Systems". Forbes. Retrieved 2013-10-04. 
  15. ^ Powers, Shawn M.; Jablonski, Michael (February 2015). The Real Cyber War: The Political Economy of Internet Freedom. University of Illinois Press. p. 198. ISBN 978-0-252-09710-2. 
  16. ^ Chris Aniszczyk (20 December 2011). "The Whispers Are True". The Twitter Developer Blog. Twitter. Archived from the original on 24 October 2014. Retrieved 22 January 2015. 
  17. ^ "RedPhone is now Open Source!". Whisper Systems. 18 July 2012. Archived from the original on 31 July 2012. Retrieved 22 January 2015. 
  18. ^ Yadron, Danny (10 July 2015). "What Moxie Marlinspike Did at Twitter". Digits (The Wall Street Journal). Retrieved 13 July 2015. 
  19. ^ Andy Greenberg (29 July 2014). "Your iPhone Can Finally Make Free, Encrypted Calls". Wired. Retrieved 18 January 2015. 
  20. ^ "A New Home". Open Whisper Systems. 21 January 2013. Retrieved 11 July 2015. 
  21. ^ Greenberg, Andy (2 November 2015). "Signal, the Snowden-Approved Crypto App, Comes to Android". Wired. Condé Nast. Retrieved 24 November 2015. 
  22. ^ "sslstrip". Retrieved 2013-12-09. 
  23. ^ "Breaking Your Browser's Padlock". Retrieved 2013-12-09. 
  24. ^ Kelly Jackson Higgins February 24, 2009 (2009-02-24). "SSLStrip Hacking Tool Released". Retrieved 2013-12-09. 
  25. ^ "BasicConstraints Vulnerability". Retrieved 2013-12-09. 
  26. ^ Apple iOS Bug Worse Than Advertised/
  27. ^ "iPhone data interception tool released". 2011-07-27. Retrieved 2013-12-09. 
  28. ^ "More New Tricks For Defeating SSL In Practice". 2011-01-15. Retrieved 2013-12-09. 
  29. ^ Zetter, Kim (2009-07-30). "Vulnerabilities Allow Attackers To Impersonate Any Website". Retrieved 2013-12-09. 
  30. ^ Goodin, Dan (2009-07-30). "Wildcard certificate spoofs web authentication". Retrieved 2013-12-09. 
  31. ^ "SSL And The Future Of Authenticity". 2011-08-18. Retrieved 2013-12-09. 
  32. ^ "New SSL Alternative". Retrieved 2013-12-09. 
  33. ^ "Future of SSL in doubt?". 2011-08-09. Retrieved 2013-12-09. 
  34. ^ "Trust Assertions For Certificate Keys". Retrieved 2013-12-09. 
  35. ^ Goodin, Dan (2012-05-23). "SSL fix flags forged certificates". Retrieved 2013-12-09. 
  36. ^ New Tool From Moxie Marlinspike Cracks Some Crypto Passwords (
  37. ^ Mills, Elinor (2010-11-18). "Security researcher: I keep getting detained by feds". Retrieved 2013-12-09. 
  38. ^ Zetter, Kim. "Another Hacker's Laptop, Cellphones Searched At Border". Retrieved 2013-12-09. 
  39. ^ "DEF CON 17 - Moxie Marlinspike - More Tricks for Defeating SSL". YouTube. DEF CON. Retrieved 22 January 2015. 
  40. ^ "DEF CON 18 - Moxie Marlinspike - Changing Threats To Privacy: From TIA to Google". YouTube. DEF CON. Retrieved 22 January 2015. 
  41. ^ "DEF CON 19 - Moxie Marlinspike - SSL And The Future Of Authenticity". YouTube. DEF CON. Retrieved 22 January 2015. 
  42. ^ "DEF CON 20 - Marlinspike Hulton and Ray - Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2". YouTube. DEF CON. Retrieved 22 January 2015. 
  43. ^ "Webstock '15: Moxie Marlinspike - Making private communication simple". Vimeo. Webstock. Retrieved 22 April 2015. 

External links[edit]