Since my company sells a product that decrypts SSL traffic in order to enable intrusion detection systems to inspect it, I was looking for examples of real world attacks hidden in SSL traffic. As part of this research I examined Santy and found out that: a. there are many phpBB sites protected by SSL: I Just Googled something like: "inurl:https inurl:viewtopic inurl:highlight", which is similar to the Santy search but also requiring the page to be SSL protected and found 2000. Not enough to spread a worm, but certainly enough to find some vulnerable sites to deface. b. Santy itself did not address SSL: It parsed found URL using the pattern s#^http://##i (thus ignoring https sites) and naturally also did not assume port 443 for https protocol. Since modifying the code to handle SSL requires changing two lines, I wondered if somebody has seen a variant or similar attack over SSL? Ofer Shezaf CTO, Breach Security Tel: +972.9.956.0036 ext.212 Cell: +972.54.443.1119 ofers@xxxxxxxxxx www.breach.com