Cain and Abel, which can be found over here -> Cain and Abel , is indeed a wonderful tool to have. It has many features that can be used to exploit a Windows based pc.

The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms.

Cain and Abel can do wondrous thing. From cracking passwords, deploying backdoor services to a remote computer to sniffing password across network (HTTPS included!), Cain and Abel can do it with ease...

We all know and lead to believe that HTTPS is the answer to the weakness found in the ol' HTTP (where password are sent in clear text). HTTPS tries to change the weakness by deploying a certificate, used to decrypt and encrypt HTTP data transfer.

Cain and Abel manages to decrypt HTTPS traffic due to its ability to perform a Man-In-The-Middle attack (MiTM). This attack is quite well-known and have been much discussed by many. In a nutshell, just say that you are making a phone call to your girlfriend. The person that would have the ability to record and hear your conversation with your girlfriend would be your telco provider, wont it? So that how MiTM works. By placing himself / hacker between you and the webserver, he can read and monitor your data transfer. Sounds scary, eh? What about online banking?

A lot of online banks uses HTTPS to encrypt the password send across network and many social networking website like friendster, myspace, facebook just use good ol' HTTP.

To learn more about the attack, you can view Brian Wilson video on Cain and Abel, sniffing password across the network over here. Now remember that in this kind of attack, you are flooding your switch to become a hub. And in HTTPS traffic capture, the end user will receive a pop-up, asking them to accept a certificate. If the end user doesnt accept the certificate, he/she couldnt view the webpage. So needless to say, the end user have to accept the certificate popup in order to view his online banking page.

In short, you can deploy new algorithm of encryption on today widely used protocols (HTTP, FTP, POP, SMTP). But if the protocol itself has problems, don't expect the new encryption would mask the weakness. It would still be there. So unless someone creates a new protocol to replace HTTP TCP Stack, your password can be sniffed....