0

Suppose a site allows connection to be established with HTTP or HTTPS .If you establish a connection to http://www.example.com or https://www.example.com then all further link's on the page displayed will have HTTP or HTTPS correspondingly. I understand that an attacker can degrade your HTTPS connection to HTTP using MITM and then can takeover your account but i want to know that can it pose any other threat other than this ??

justtrying123
  • 181
  • 2
  • 13
  • 1
    Are you the site owner or site user? As a site operator, I basically force all connections to my site to be HTTPS. Non-HTTPS connections are redirected to the HTTPS equivalent. – Kevin Li Mar 29 '14 at 22:15
  • 2
    If they connect to HTTP first, you can poison their DNS cache and make a fake login page that submits to your computer. Or you can make an entire fake page on your site (which appears to be the site they're trying to visit) that gives them false information (ie, a fake story if it's a site like Yahoo!) – KnightOfNi Mar 30 '14 at 01:22
  • But all those scenarios are when attacker and victim are on same network,can there be any threat when attacker and victim are not on same network ?? – justtrying123 Mar 30 '14 at 05:04
  • @exploitprotocol - DNS cache poisoning can be performed by an attacker against a victim on a separate network. This relies on their DNS server having certain weaknesses, but those weaknesses are pretty common. – paj28 Mar 30 '14 at 20:04

3 Answers3

2

Not all links are restricted to your initial request; if you include the protocol (e.g: http or https), then you can jump between both. If you just have relative URL locations (such as: "/dir/page.php" instead of "https://site.com/dir/page.php"), then you'll stick to the same protocol.

Websites can implement Hypertext Strict Transport Security, this will force a browser to only use the HTTPS protocol for a website. The drawback is that the initial request remains vulnerable if it was done over a non-SSL channel.

When you asked about other ways that are possible, depending in your browsers mixed content handling, but an attacker could inject JavaScript in cleartext requests and access your DOM.

ndrix
  • 3,206
  • 13
  • 17
  • But all those scenarios are when attacker and victim are on same network,can there be any threat when attacker and victim are not on same network ? – justtrying123 Mar 30 '14 at 06:00
  • Anybody who sits between your machine and the target site can be an attacker. This can range from network admins / proxy admins (also at the website's end), ISP's and governments. – ndrix Mar 30 '14 at 06:02
  • let us consider that there are no MITM attack's ,then still there is any further attack?? – justtrying123 Mar 30 '14 at 06:03
  • SSL merely implements confidentiality, data integrity and authenticity, this is challenged by MiTM. Attacks against websites will remain to exist, regardless of SSL. Oh, and the client can be also be hijacked, etc. – ndrix Mar 30 '14 at 06:08
1

An easy way to do an SSL-strip attack is, when you offer a WLAN access point at a place where already a public access point exists (Moxie Marlinspike did this to demonstrate SSL-strip). As soon as somebody connects via your access point and visits a website with the HTTP protocol, you can read everything he sends and return everything your want. If the first page would be requested with HTTPS, you could not read the content.

That's what the HSTS policy can mitigate, usually people visit important websites the first time at home in a safe network, later when they use a public WLAN, the stored HSTS header tells the browser to accept only HTTPS requests. This of course only works if the site delivers HTTPS only and does not return mixed HTTP/HTTPS pages.

martinstoeckli
  • 5,149
  • 2
  • 27
  • 32
0

Well yes seen as your now browsing the internet with cleartext requests and responses but only would prove a big issue with accounts as you mention. It wouldn't be an issue if your were browsing google per se. Moxie Marlinspike has done a lot of research into the SSL/TLS protocols and created a tool called sslstrip:here!. Thus the only threat is the attacker has control of all your traffic.

Sighbah
  • 341
  • 1
  • 7
  • Thank's for giving your input's but that is not the answer for the question.If u find any difficulty in understanding question then i can help you. – justtrying123 Mar 29 '14 at 20:44
  • Yeah it is kind of confusing but if someone is the position to do a MITM attack on you, they are probably already in your network and could potentially do anything. – Sighbah Mar 29 '14 at 20:46
  • If the attacker and victim are not on same network ,then did we still have a threat ?? – justtrying123 Mar 29 '14 at 20:52
  • Not anything other than you have specified i don't think. – Sighbah Mar 29 '14 at 21:46