sslstrip

[Kirk]

so i just discovered sslstrip is pretty much obsolete these days.

i read a few things, going to keep reading. one article was saying that the browsers respond to a server that requests it use HSTS. doesnt allow the browser to downgrade to HTTP. adds a line to the header "strict-transport-security" with an amount of time that the browser should use https for. and its usually a really long time. firefox even adds a list of sites that should be connected with https only.

so what are some things i can look at to go back to sslstriping or the equivalent? they sure making this stuff hard these days. i cant keep up with it. i just dont know how to program enough.

[bad_brain]

hm, will be very hard to find something. especially after the latest SSL flaws (POODLE) most frameworks updated their security (not just from SSL3 to TLS I mean, also in general).
I can only speak about CC payments processors like authorize.net for example....they simply don't work at all anymore when NOT using a secure connection...which means there wouldn't even be something to capture because already after the initial "is connection secure?" check, which is done first, the request is dropped so the data is never sent.

I think the whole topic is pretty dead, as long as you can not come up with a "real" MITM attack....which is of course a pain in the ass to realize, especially with specific targets.

[Kirk]

i guess that wifi pineapple does something like a truer mitm attack. it doesnt just use arp to jump in the middle. you use it to force a user to connect to your pineapple, then you can do whatever. you can use a phis site that is hosted on it. i wonder if you can use to to connect to the site with ssl but give the user non-ssl page. the pineapple would repond as yes im ssl but to the user it would only be http. im going to google it more and see what i can find. i really wont know much till i get it. i just ordered it so maybe in a week ill have it.