9

http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

My question is, if the threat is that someone controls your internet connection and can serve up bad login pages, couldn't the attacker just serve you a page like facebook.com instead of https://www.facebook.com?

Many sites just have a 301 redirect to their secure site, so I don't see what prevents an attacker from taking advantage of the victim who types in facebook.com and then serving up that page with a fake login form. Is the idea that the user would notice that there's no lock in the upper left corner?

I'm definitely not the expert in this, so I'm asking to just further my knowledge; I'm not trying to disprove anyone and just want to understand security better.

tau
  • 397
  • 3
  • 8

2 Answers2

10

You are correct.

Some ways for the site to decrease that attack vector would be to...

Use an HSTS header to prevent any data from being sent to the site in plaintext.

Advertise only the HTTPS URL and do not allow any plaintext connections. This will ensure most bookmarks use encryption.

The point being that sites should force SSL from the beginning, which will help prevent MITM in the future. There is not much protecting the situation that you presented, as when using mixed content forms, you are vulnerable to sslstrip

David Houde
  • 5,464
  • 1
  • 27
  • 22
  • 2
    even without a first request from the client, the browser knows that it HSTS? if so how? if not how can this avoid that there is a forged malicious webpage send as a response to `facebook.com` (instead of the original malicious ;) – humanityANDpeace Apr 03 '14 at 07:27
  • 5
    Some browsers (Chrome, Firefox and maybe others) include a ["pre loaded"](https://blog.mozilla.org/security/2012/11/01/preloading-hsts/) list of domains and their HSTS entries. If your browser supports HSTS but the domain is not on the preloaded list the first time connecting (or connecting after max-age expired) over HTTP could be abused. – Darsstar Apr 03 '14 at 08:49
  • 1
    @humanityANDpeace This is only one way to reduce the risk, not remove it completely. While not always the case, it is very likely that a user has visited many sites before the MITM was implemented, resulting in their browser acknowledging the HSTS for the domain. First time visits are a crap shoot, unless pre-loaded in the browser per Darsstar's comment. – David Houde Apr 03 '14 at 11:17
  • 1
    A way to combat any HTTPS stripping by MITM attack - including 'first time visit' vulnerability - is to use a browser extension like [HTTP Nowhere](https://addons.mozilla.org/en-us/firefox/addon/http-nowhere/) that can be set to force all URLs to HTTPS and simply not communicate if no traffic will come down through HTTPS into the browser. The attacker would only be blocking the site to the user and nothing else. –  Jan 18 '15 at 04:13
4

Yes. The attacker could simply serve you http://www.facebook.com/ and hijack all the requests and responses to and from your computer. In that scenario, you are correct: it would be up to the user to be vigilant and realize that they are not browsing securely.

Kevin Li
  • 601
  • 4
  • 6
  • thank you very much for the answer. im gonna wait around to see if there are any more answers but i appreciate it! – tau Apr 03 '14 at 05:43