Moxie Marlinspike

{{Infobox scientist | name = Moxie Marlinspike | image = Moxie Marlinspike.jpg | image_size = | alt = | caption = Marlinspike in 2013 | birth_date = <!- –> | birth_place = | other_names = | death_date = | death_place = | residence = | citizenship = | nationality = American | fields = ,<br /> | workplaces = | patrons = | alma_mater = | thesis_title = | thesis_url = | thesis_year = | doctoral_advisor = | academic_advisors = | doctoral_students = | notable_students = | known_for = (founder),) is an American researcher and cypherpunk. His research has focused primarily on techniques for intercepting communication, as well as methods for strengthening communication infrastructure against interception. Marlinspike is the former head of the security team at co-author of the , and a fellow at the Institute for Disruptive Studies. Marlinspike moved to in the late 1990s. In 2004, Marlinspike bought a derelict sailboat and, along with three friends, refurbished it and sailed around the while making a documentary about their journey called Hold Fast. the firm made Whisper Systems’ apps .

Marlinspike left Twitter in early 2013 and founded as a collaborative open source project for the continued development of TextSecure and RedPhone. At the time, Marlinspike and Trevor Perrin started developing the , an early version of which was first introduced in the TextSecure app in February 2014. In November 2015, Open Whisper Systems unified the TextSecure and RedPhone applications as . Between 2014 and 2016, Marlinspike worked with , Facebook, and to integrate the Signal Protocol into their messaging services.


Notable research

SSL stripping

In a 2009 paper, Marlinspike introduced the concept of stripping, a in which a network attacker could prevent a from upgrading to an SSL connection in a subtle way that would likely go unnoticed by a user. He also announced the release of a tool, <code>sslstrip</code>, which would automatically perform these types of man-in-the-middle attacks. The (HSTS) specification was subsequently developed to combat these attacks.

SSL implementation attacks

Marlinspike has discovered a number of different in popular SSL implementations. Notably, Marlinspike published a 2002 paper on exploiting implementations that did not correctly verify the “BasicConstraints” extension in chains. This allowed anyone with a valid CA-signed certificate for any to create what appeared to be valid CA-signed certificates for any other domain. The vulnerable SSL/TLS implementations included the , making and all other Windows software that relied on SSL/TLS connections vulnerable to a man-in-the-middle attack. In 2011, the same vulnerability was discovered to have remained present in the SSL/TLS implementation on ‘s . Also notably, Marlinspike presented a 2009 paper, where he introduced the concept of a null-prefix attack on SSL certificates. He revealed that all major SSL implementations failed to properly verify the Common Name value of a certificate, such that they could be tricked into accepting forged certificates by embedding into the CN field.

Solutions to the CA problem

In 2011, Marlinspike presented a talk titled SSL And The Future Of Authenticity at the security conference in Las Vegas. He outlined many of the current problems with , and announced the release of a software project called to replace Certificate Authorities. In 2012, Marlinspike and Trevor Perrin submitted an Internet Draft for , which is designed to provide SSL and help solve the CA problem, to the IETF.

Cracking MS-CHAPv2

In 2012, Marlinspike and presented research that makes it possible to reduce the security of handshakes to a single . Hulton built hardware capable of cracking the remaining DES encryption in less than 24 hours, and the two made the hardware available for anyone to use as an Internet service.


Marlinspike says that when flying within the United States he is unable to print his own , is required to have airline ticketing agents make a phone call in order to issue one, and is subjected to at security checkpoints.

While entering the United States via a flight from the Dominican Republic in 2010, Marlinspike was detained for five hours; federal agents requested his passwords, and all his electronic devices were confiscated and then returned.

Speaking engagements

  • 17: “More Tricks for Defeating SSL”
  • In 2016, named Marlinspike among its for being the founder of Open Whisper Systems and “[encrypting] the communications of more than a billion people worldwide”.
  • In 2017, Moxie Marlinspike along with Trevor Perrin were awarded the Levchin Prize for Real World Cryptography “for the development and wide deployment of the Signal protocol”.


See Also on BitcoinWiki