[mynewwork]

"We do the same for Facebook: Slotboom is able to intercept the login name and password I entered with relative ease."

Is Facebook not using encryption for login? That would surprise me. Or is the author either blatantly lying or intentionally being deceptive (ie, he clicked passed an invalid certificate warning or similar).

[sp332]

If you type in facebook.com, your browser will use HTTP by default. The login page will redirect you to HTTPS, but it's too late, you're MITM'd. The attacker makes the HTTPS connection instead, and serves the page to you over HTTP. You put your username and password in and send it back to the attacker in plain text. The attacker sends the data to Facebook via HTTPS, decrypts the response, and sends it to you via HTTP. It's called sslstrip. http://www.idcloak.com/learning-center/faceniff-SSL-Strip-fa...

[hrasyid]

Don't browsers typically verify the identity of a HTTPS page and warn you if something is not right?

[sp332]

Right, but in this case your browser never sees the page over HTTPS. The attacker makes the secure connection, and feeds you data over an insecure connection that they can see.

  You <-(HTTP)-> Attacker <-(HTTPS)-> Facbook

[nucleardog]

This was my first thought as well - either there's some major issue with SSL that allows MITM attacks which I'm unaware of, or this article isn't very accurate/precise.

[samman]

Perhaps one of the techniques discussed here: https://www.youtube.com/watch?v=MFol6IMbZ7Y ?

Or, as this was published a couple of days ago, it might have utilized POODLE, or even BEAST in unmitigated cases.

But yeah, I'd also believe user error in some cases.