Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

ah sorry, didn't understand it correctly. sslstrip used to be a thing, is it still ? I haven't been in touch with the status quo


sslstrip doesn't crack ssl, it MitMs non-ssl HTTP responses to switch https to MitM http addresses.

If you start on HTTPS and never access plain HTTP resources, it's powerless, otherwise there would be no way to be safe on a public network at all.


I just typed catb.org (random website I know only serves HTTP) into Chrome's address bar and it landed me on the HTTP version, no warnings or anything. I assume Firefox works the same, but I can't be bothered to disable HTTPS-only mode.

sslstrip will still work today on any website that doesn't use HSTS. It will work for the first ever visit (by that browser) of a website that uses HSTS if they aren't on the preload list. A surprising number of websites have neither.


That's assuming the average internet user types a url into their address bar instead of using their browser's "new tab page" with recent sites (all probably HTTPS) and finding non-history pages through a search engine that will be HTTPS by default and point mostly to HTTPS endpoints.

So yes, you can catch a subset of users who type new urls into their address bar, but that's a minority of people a minority of the time.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: