Just came across this video. Is NoScript able to counteract this?:
http://securitytube.net/Stripping-SSL-a ... video.aspx
Stripping SSL and Sniffing HTTPS using SSLstrip
-
Dukeswharf
- Posts: 13
- Joined: Mon Nov 08, 2010 5:24 pm
Stripping SSL and Sniffing HTTPS using SSLstrip
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
-
Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Stripping SSL and Sniffing HTTPS using SSLstrip
Yes.
Manual HTTPS enforcement and HSTS are meant to protect against this kind of attack.
Manual HTTPS enforcement and HSTS are meant to protect against this kind of attack.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Re: Stripping SSL and Sniffing HTTPS using SSLstrip
Note that HSTS is not able to protect against this attack when the very first request to a site is over a MITMed line.
Mozilla/5.0 (X11; Linux i686; rv:2.0b10) Gecko/20100101 Firefox/4.0b10
-
Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Stripping SSL and Sniffing HTTPS using SSLstrip
Where "very first" here means "very first in the whole browser's lifetime", which is very unlikely, i.e.:dhouwn wrote:Note that HSTS is not able to protect against this attack when the very first request to a site is over a MITMed line.
- You're connecting from a workstation which is not yours (equally dangerous, since it may be keylogged) or
- you're registering yourself for the very first time to a confidential service from a public or otherwise hostile network
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13