Questions tagged [sslstrip]

SSLstrip is an attack against mixed HTTP/HTTPS connection where a man-in-the-middle downgrades HTTPS links to HTTP.

SSLstrip is a man-in-the-middle attack that consists of changing https links to http and thus changing a connection from being partly HTTP, partly HTTPS to being fully HTTP.

A remedy against SSLstrip is to not connect to a server using HTTP at all in the first place. This can be done by the user by typing an https URL (if the website retains HTTPS throughout). The website can use HSTS to request that the browser connect directly using HTTPS for subsequent connections.

External links

109 questions
244
votes
14 answers

My college is forcing me to install their SSL certificate. How to protect my privacy?

My college administration is forcing us to install Cyberoam Firewall SSL certificate so that they can view all the encrypted traffic to "improve our security". If I don't install the certificate than I won't be able to use their network. What are…
svetaketu
  • 2,151
  • 2
  • 9
  • 5
100
votes
4 answers

How does SSLstrip work?

I've been reading up on SSLstrip and I'm not 100% sure on my understanding of how it works. A lot of documentation seems to indicate that it simply replaces occurrences of "https" with "http" in traffic that it has access to. So a URL passing…
Scott Helme
  • 3,178
  • 3
  • 21
  • 32
34
votes
6 answers

Can a secure cookie be set from an insecure HTTP connection? If so, why is it allowed?

With reference to some security paper I read, I found out that a cookie with the secure flag set can only be sent by the client over connections that are using HTTPS, not HTTP, but the cookie itself can be set from the server with a secure flag from…
mfs
  • 531
  • 1
  • 6
  • 9
26
votes
3 answers

Bypassing HTTP to HTTPS cached 301 redirect to use SSLstrip

I'm doing some pen. tests on a HTTPS (443) server that does not have HSTS implemented (no HSTS headers on response and the address is not on Chrome HSTS preload list). The problem is that in my scenario the user has visited the web site before, so…
Bruno
  • 361
  • 3
  • 5
22
votes
2 answers

Is there any point in having the HSTS header enabled when using HTTP/2?

As a protection against attacks such as SSLstrip, the HSTS header prevents an attacker from downgrading a connection from HTTPS to HTTP, as long as the attributes of the header are properly configured. However, HTTP/2, whilst not making encryption…
user96649
  • 363
  • 2
  • 8
22
votes
4 answers

Options when defending against SSLstrip?

I'm wondering, does anyone have any suggestions to defend against SSLstrip particularly?
Skizit
  • 321
  • 2
  • 5
18
votes
5 answers

Is using "HTTPS everywhere" extension secure?

I would like to know if one should use 'HTTPS everywhere' extension? Is it secure to use it? Are there any better alternatives? HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making…
vaichidrewar
  • 283
  • 1
  • 2
  • 6
16
votes
1 answer

What is the difference between MITMproxy and SSLsplit?

I am aware that MITMproxy only captures HTTP/HTTPS protocols where SSLsplit is a transparent proxy and therefore can capture also other non-HTTP protocol communications. However MITMproxy can operate as well in as a transparent proxy. Hence I would…
Irene Ant
  • 659
  • 7
  • 19
15
votes
2 answers

HSTS bypass with SSLstrip2 + DNS2proxy

I am trying to understand how to bypass HSTS protection. I've read about tools by LeonardoNve ( https://github.com/LeonardoNve/sslstrip2 and https://github.com/LeonardoNve/dns2proxy ). But I quite don't get it. If the client is requesting for the…
Nikkolasg
  • 253
  • 1
  • 2
  • 6
15
votes
2 answers

Is an HTTP 301 redirect to HTTPS, insecure?

For a website, I force a 301 redirect from http://login.example.com to https://login.example.com using a .htaccess file. As I read in this question this still imposes a security threat. I'm wondering how this still poses a threat. Could anyone…
Jortiexx
  • 153
  • 1
  • 4
13
votes
1 answer

How can mobile sign-on be secured from imposter authentication screens?

History seems to have come almost full circle where old issues are shown in new/emerging technologies. Background If you trust the operating system, Windows originally had the Control - Alt - Delete as a way to prevent TSR (Terminate and Stay…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
12
votes
1 answer

How does bypassing HSTS with SSLSTRIP+ work exactly?

I am doing research on bypassing HSTS. I read this guide on bypassing HSTS using SSLSTRIP+, but there are a few things that I don't understand. First thing to do is to fire up MITMf in SSLstrip+ mode, I'll also be using classic ARP spoofing to…
Tijme
  • 327
  • 1
  • 2
  • 10
12
votes
2 answers

How to thwart sslstrip attack?

I need help understanding the dynamics of an sslstrip attack. I'm using it to test the security of a site that I own. I can successfully sniff the victim (in this case, myself) credentials over the internet but when the same attack happens against…
Saladin
  • 1,547
  • 3
  • 14
  • 23
10
votes
3 answers

Does sslstrip work only on websites which use both HTTP and HTTPS?

Does sslstrip attack only work on websites which uses both HTTP and HTTPS? On Quora a commenter says that: One thing to note is that, SSL Strip only works on websites which uses both HTTP & HTTPS. For example, Ebay, where the main page is over …
Hasan
  • 425
  • 6
  • 14
8
votes
4 answers

Mitigating SSLStrip by only serving a site over HTTPS?

So I just learned about SSLStrip now--I feel like I'm so late to the game. What I want to know is: If your site only serves content over HTTPS and hard fails on HTTP requests, with no redirect, are you still vulnerable? Can an attacker intercept…
John
  • 2,242
  • 2
  • 28
  • 45
1
2 3 4 5 6 7 8