How does SSLstrip work?
I've been reading up on SSLstrip and I'm not 100% sure on my understanding of how it works.
A lot of documentation seems to indicate that it simply replaces occurrences of "https" with "http" in traffic that it has access to. So a URL passing through such as "https://twitter.com" would be passed on the to victim as "http://twitter.com".
At this point does SSLstrip continue to communicate with Twitter via HTTPS on our behalf? Something like this:
Victim <== HTTP ==> Attacker <== HTTPS ==> Twitter
Or is it just the fact that the client is now communicating with Twitter over HTTP that gives us access to the traffic?
Victim <== HTTP ==> Attacker <== HTTP ==> Twitter
My guess is it would be the first option where the Attacker continues to communicate with Twitter via HTTPS as it is enforced by Twitter but I would just like some clarification, thanks.
You should watch Moxie Marlinspike's talk Defeating SSL using SSLStrip. In short SSLStrip is a type of MITM attack that forces a victim's browser into communicating with an adversary in plain-text over HTTP, and the adversary proxies the modified content from an HTTPS server. To do this, SSLStrip is "stripping"
https://URLs and turning them into
HSTS is a proposed solution to this problem.
Brilliant, that answered my question. It was actually problems I encountered with HSTS in Chrome and it's preloaded list of sites that got me questioning how it works. Thanks!
HTTPS-Everywhere isn't really a solution to this problem. It can mitigate it for sites with explicit rules defined, but that's not really a scalable solution.
HTTPS-Everywhere is a solution when provider start serving TLS only! Then there is no need to upgrade the connection and no possibility to downgrade it in this way. And there a some pages proving that TLS-only is perfectly doable.