2

In general browsers attempt to establish a HTTPs-Connection if possible. How would you force a browser to fallback to HTTP when somebody enters asdf.xyz in the search bar of his/her browser without specifying a protocol?

Therefore: sslstrip is probably not helpful as there are no links to "fake". Furthermore, it is assumed that the site does not use HSTS.

Assuming one can perform MITM - how would the routing with iptables be performed/which commands would you need to make the browser believe that HTTPs is not available and to fallback to HTTP?

Martin Dallinger
  • 123
  • 3

1 Answers1

5

I think you may have a slight misunderstanding in the premise of your question. If the site does not use HSTS, and the user enters example.com in the address bar of their browser, the browser will default to http://example.com, not https://example.com.

See the following questions on security.stackexchange.com, and elsewhere on stackexchange.com, for more information on this behavior:

Why do browsers default to http: and not https: for typed in URLs?

Why is HTTPS not the default protocol?

https://superuser.com/questions/799464/how-does-a-web-browser-know-if-destination-is-http-or-https

This is precisely why we now have HSTS. HTTPS Everywhere is another attempt at solving this problem.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • 2
    Except HTTPS Everywhere does not even try to work "everywhere", since it uses a whitelist. There is a plug-in called "Smart HTTPS" that will try HTTPS on every site before falling back to HTTP. – multithr3at3d Oct 25 '20 at 17:56