Hacker News new | ask | show | jobs
by meowface 1868 days ago
Yeah. And for anyone unaware, this technique, SSL stripping, was made well-known (and perhaps pioneered?) by Moxie Marlinspike of Signal with his tool sslstrip back in 2011: https://github.com/moxie0/sslstrip. I believe that's what he was most famous for before Signal.

It's unfortunate that this very simple attack remains extremely successful even a decade later. I'm surprised Tor Browser didn't enforce HTTPS Everywhere for all domains by default years ago. HTTPS Everywhere was released in 2010, before sslstrip, even. HSTS and HSTS preloading helps, but individual site owners still have to explicitly submit their site to be added to the preload list.
2 comments
tialaramex 1867 days ago
HSTS preloading is hierarchical, so it's not necessary for individual site owners to submit, if the domain above yours opted its entire hierarchy in, you're in.

So if you own example.foo or example.dev you don't need to do anything and indeed can't choose, because Google (owners of the foo and dev top level domains) preloaded the entire TLD.

http://some.example.dev/ can still exist, but you can't go there in a typical modern web browser, it will take you to https://some.example.dev/ regardless. So software that knows it actually wants the plaintext protocol can use it, but your ordinary users can't get SSL stripped.

link
meowface 1867 days ago
Ah, thanks, I wasn't aware of this. I might put future projects under a preloaded TLD.
link
mercora 1868 days ago
> and perhaps pioneered?

i highly doubt that. in fact i knew about ssl striping before i knew moxie or even sslstrip and this attack was probably already well known when someone came up with a seperate url scheme for https...

link
meowface 1868 days ago
Yeah, "pioneered" was too strong of a word. I'm sure there's no way he could've been the first person to come up with the idea. He was just the one who widely popularized the attack and released a convenient tool for it.

For anyone who remembers it, "Firesheep" also had a big impact, too. It didn't do anything special or novel whatsoever, but it was a really easy-to-use tool that drove home to the average person just how dangerous plaintext HTTP was. Lots of people immediately started using it in school classes and logging into everyone else's Facebook and Twitter accounts. I'm not sure if it was the direct cause, but I know not long after that, all the big services began switching to HTTPS for everything rather than just login and payment pages.

There's probably some startup lesson buried in there...

link