www.rodneybeede.com "I would love to change the world, but they won't give me the source code" - unknown

Protecting against MITM and sslstrip attacks - Last Modified 2012-02-11 17:30 UTC - Created 2012-02-11 17:30 UTC

I was playing with sslstrip and discovered that Google's Chrome and Mozilla's Firefox web browsers actually protect some popular web sites against it. sslstrip works by changing any requests of SSL (HTTPS) secure URLs into insecure ones. This would allow an attacker on the same network to trick users machines into using it for accessing sites (send network traffic to it) and rewriting the site code.

This isn't a problem if the user types in the URL with https:// first, but most users don't so usually a site like your bank or gmail or whatever will redirect you to the secure site. sslstrip takes advantage of this and stops the secure redirect which most servers.

The solution to stopping this is called HSTS. Basically the server responds telling the web browser to never use insecure URLs no matter what the server's response HTML says. Neat idea.

One thing of course is that sslstrip or another program could just remove the HSTS from the server response. Google prevents this currently by simply hard-coding in web sites that should reply with the HSTS headers (ex: paypal, gmail). This isn't scalable so one proposal is to have the HSTS required moved into DNS with DNSSEC instead.