Page 1 of 1
Stripping SSL and Sniffing HTTPS using SSLstrip
Posted: Sat Jan 29, 2011 4:48 pm
by Dukeswharf
Just came across this video. Is NoScript able to counteract this?:
http://securitytube.net/Stripping-SSL-a ... video.aspx
Re: Stripping SSL and Sniffing HTTPS using SSLstrip
Posted: Sat Jan 29, 2011 4:53 pm
by Giorgio Maone
Yes.
Manual HTTPS enforcement and HSTS are meant to protect against this kind of attack.
Re: Stripping SSL and Sniffing HTTPS using SSLstrip
Posted: Sun Jan 30, 2011 10:38 am
by dhouwn
Note that HSTS is not able to protect against this attack when the very first request to a site is over a MITMed line.
Re: Stripping SSL and Sniffing HTTPS using SSLstrip
Posted: Sun Jan 30, 2011 11:22 am
by Giorgio Maone
dhouwn wrote:Note that HSTS is not able to protect against this attack when the very first request to a site is over a MITMed line.
Where "very first" here means "very first in the whole browser's lifetime", which is very unlikely, i.e.:
- You're connecting from a workstation which is not yours (equally dangerous, since it may be keylogged) or
- you're registering yourself for the very first time to a confidential service from a public or otherwise hostile network