Protecting against MITM and sslstrip attacks

Last Modified: Sat, 11 Feb 2012 17:30:33 +0000 ; Created: Sat, 11 Feb 2012 17:30:33 +0000

I was playing with sslstrip and discovered that Google's Chrome and Mozilla's Firefox web browsers actually protect some popular web sites against it. sslstrip works by changing any requests of SSL (HTTPS) secure URLs into insecure ones. This would allow an attacker on the same network to trick users machines into using it for accessing sites (send network traffic to it) and rewriting the site code.

This isn't a problem if the user types in the URL with https:// first, but most users don't so usually a site like your bank or gmail or whatever will redirect you to the secure site. sslstrip takes advantage of this and stops the secure redirect which most servers.

The solution to stopping this is called HSTS. Basically the server responds telling the web browser to never use insecure URLs no matter what the server's response HTML says. Neat idea.

One thing of course is that sslstrip or another program could just remove the HSTS from the server response. Google prevents this currently by simply hard-coding in web sites that should reply with the HSTS headers (ex: paypal, gmail). This isn't scalable so one proposal is to have the HSTS required moved into DNS with DNSSEC instead.