|
|
|
|
|
|
by rcxdude
2141 days ago
|
|
|
SSL stripping is more of a downgrade attack than a decryption. It relies on the fact that most website URLS are still http by default and the webservers just use an http to https redirect. If you can MITM the http request you can prevent the redirect and just present the HTTPs content through HTTP with all the MITM tampering you could ever want. It's the kind of attack HSTS is designed to try to prevent, but even that requires the victim visit the website once legitimately. |
|
|
I always keep it enabled and there are almost no sites that require exceptions except on corporate intranet.