|
|
|
|
|
|
by panarky
3172 days ago
|
|
|
> 3. Everything you care about _should_ be going over TLS, which mitigates all effects of this attack. This is probably the biggest misconception. Many, many websites and APIs don't have HSTS enabled to force all connections to use TLS. The author demonstrates using sslstrip to downgrade the connection of match.com to steal credentials. How many people watch the green "secure" indicator in the URL bar to ensure it doesn't change mid-session? How many thousands of apps don't even have such an indicator to observe? How many millions of phones and APs will never get patched? This is a severe vulnerability. |
|
|
True. Yet another reason for us to push for it.
I have a chrome extension that sets the background-color of all form fields to red if the site it was served on or the ACTION attr are not https.
That said, pretty much every website in my day except for casual reading is pinned to TLS. APIs are the notable exception you pointed out, but otherwise HSTS is quite widely used, and especially effective with preload lists.
> How many thousands of apps dont have this indicator to observe?
Sure there will be some, but your standard Java apache client (along with 99% of the libraries used in Apps) dont have this kind of downgrade behaviour. If they expect validated https, they will fail without it.
> This is a severe vulnerability.
Yepp :D Not the end of the world. I think the main fallacy here is the implicit assumption that the link layer is secure. That has never really been the case and a broken wifi model is merely one more testament to this fact.