[michaelmcmillan]

Most sites redirect all http traffic to https to make sure the traffic is encrypted.

Here's an example with HN (notice the protocol in the req/res):

  $ curl -v http://news.ycombinator.com
  [...]
  < HTTP/1.1 301 Moved Permanently
  < Location: https://news.ycombinator.com/

However, the first request is over http, before it gets redirected and encrypted. This is where the malicious relay node would intercept and change the response.

[tialaramex]

This is actually what's going on. It's what HSTS and HSTS preloading protects you against, it's why Chrome is moving to just assuming HTTPS when you type domain names without specifying, and it's why Firefox now has "HTTPS only mode" where it goes further and just rewrites all HTTP as HTTPS (even in random links you follow) and gives you an interstitial caution page to decide if you really want to try HTTP when HTTPS fails.

People have all these fancy high-tech Hollywood-style theories about how they imagine things being attacked, but the reality is almost always far more boring.

[meowface]

Yeah. And for anyone unaware, this technique, SSL stripping, was made well-known (and perhaps pioneered?) by Moxie Marlinspike of Signal with his tool sslstrip back in 2011: https://github.com/moxie0/sslstrip. I believe that's what he was most famous for before Signal.

It's unfortunate that this very simple attack remains extremely successful even a decade later. I'm surprised Tor Browser didn't enforce HTTPS Everywhere for all domains by default years ago. HTTPS Everywhere was released in 2010, before sslstrip, even. HSTS and HSTS preloading helps, but individual site owners still have to explicitly submit their site to be added to the preload list.

[tialaramex]

HSTS preloading is hierarchical, so it's not necessary for individual site owners to submit, if the domain above yours opted its entire hierarchy in, you're in.

So if you own example.foo or example.dev you don't need to do anything and indeed can't choose, because Google (owners of the foo and dev top level domains) preloaded the entire TLD.

http://some.example.dev/ can still exist, but you can't go there in a typical modern web browser, it will take you to https://some.example.dev/ regardless. So software that knows it actually wants the plaintext protocol can use it, but your ordinary users can't get SSL stripped.

[meowface]

Ah, thanks, I wasn't aware of this. I might put future projects under a preloaded TLD.

[mercora]

> and perhaps pioneered?

i highly doubt that. in fact i knew about ssl striping before i knew moxie or even sslstrip and this attack was probably already well known when someone came up with a seperate url scheme for https...

[meowface]

Yeah, "pioneered" was too strong of a word. I'm sure there's no way he could've been the first person to come up with the idea. He was just the one who widely popularized the attack and released a convenient tool for it.

For anyone who remembers it, "Firesheep" also had a big impact, too. It didn't do anything special or novel whatsoever, but it was a really easy-to-use tool that drove home to the average person just how dangerous plaintext HTTP was. Lots of people immediately started using it in school classes and logging into everyone else's Facebook and Twitter accounts. I'm not sure if it was the direct cause, but I know not long after that, all the big services began switching to HTTPS for everything rather than just login and payment pages.

There's probably some startup lesson buried in there...