![[Level:16]](http://www.gilgil.net/modules/point/icons/default/16.gif "Point:23265point (7%), Level:16/30"){kind=icon}
gilgil[SSL attack pseudo code]
void surf(string url){TCPClient tcpClient = new TCPClient;if (!tcpClient.connect(url.hostname, url.port)) return;HTTPClient httpClient = tcpClient;if (url.scheme == "https") // SSL Strip hacking makes a web browser bypass this checking routine.{SSLClient sslClient = new SSLClient(tcpClient);SSLCertificate sslCert = getCertByHandshake(sslClient); // SSL Sniff hacking changes this result value(sslCert).if (!isSafe(url.hostname, sslCert)){bool _continue = showWarning(sslCert);if (!_continue) return;}httpClient = sslClient;}sendHTTPRequest(httpClient, url);string contents = recvHTTPResponse(httpClient);showInWebBrowser(contents);}bool isSafe(string hostname, SSLCertificate cert){if (hostname != getCommonName(cert)) return false;if (isExpired(cert)) return false;if (!isIssuedFromRootCA(cert)) return false; // Rogue CA hacking makes this function return value always "true".return true;}
So many people do not know for sure what "SSL Sniff", "SSL Strip" and "Rogue CA" hacking attacks are.
However, I've made a pseudo code to let you know what they mean exactly.
Sometimes, codes speak louder than words. ;)
Memory leak possibility?
C++ syntax error?
No problem.
It's just a pseudo code. :)
Technical score : Rogue CA >SSL Sniff > SSL Strip
Threaten priority : SSL Strip > SSL Sniff > Rogue CA