[vwat]

What are they even talking about? People can just casually decrypt https now? Isn’t the whole point of https that something like this can’t happen?

[rcxdude]

SSL stripping is more of a downgrade attack than a decryption. It relies on the fact that most website URLS are still http by default and the webservers just use an http to https redirect. If you can MITM the http request you can prevent the redirect and just present the HTTPs content through HTTP with all the MITM tampering you could ever want. It's the kind of attack HSTS is designed to try to prevent, but even that requires the victim visit the website once legitimately.

[kanox]

The "HTTPS Everywhere" extension should also prevent against this, right? Since it blocks all http traffic.

I always keep it enabled and there are almost no sites that require exceptions except on corporate intranet.

[toomuchtodo]

HSTS Preload can mitigate the first visit requirement for enforcing TLS connections.

https://hstspreload.org/

[piracy1]

I Meeeaaaannn, Kinda, For windows use Curveball, for linux (debian atleast) use the recent gnutls vulns. Though that's not what they're doing here.