A posting to Pastebin, by a group that calls itself “Cyber Warrior Team from Iran”, claims to have breached a NASA website via a “Man in the Middle” attack. The announcement is a bit hard to read due to the broken English, but here is how the SANS Internet Storm Center parsed the post:
The “Cyber Warrior Team” used a tool to scan NASA websites for SSL misconfiguration. They came across a site that used an invalid, likely self-signed or expired certificate. Users visiting this website would be used to seeing a certificate warning. This made it a lot easier to launch a man in the middle attack. In addition, the login form on the index page isn’t using SSL, making it possible to intercept and modify it unnoticed.
Once the attacker set up the man in the middle attack, they were able to collect username and passwords.
Based on this interpretation, the lesson should be to stop using self-signed or invalid certificates for “obscure” internal websites. I have frequently seen the argument that for an internal website “it is not important” or “too expensive” or “too complex” to set up a valid certificate. SSL isn’t doing much for you if the certificate is not valid. The encryption provided by SSL only works if the authentication works as well. Otherwise, you never know if the key you negotiated was negotiated with the right party.
And of course, the login form on the index page should be delivered via SSL as well. Even if the form is submitted via SSL, it is subject to tampering if it is delivered via http vs. https.
For a nice test to see if SSL is configured right on your site, see https://www.ssllabs.com