[leepowers]

If an attacker controls the access point he could do the following:

* Redirect all HTTPS traffic to an HTTP spoof site. Many users probably wouldn't notice.

* If the attacker has access to a short, 2-3 character domain, they could redirect to a wildcard HTTPS connection like, https://facebook.aa.com/ - again, many users wouldn't notice. They'd see "facebook" and the lock icon and assume they're ok.

* In either case the attacker could simply proxy all HTTP requests from victim to Facebook (or any other site). So the user's browsing experience remains the same but all passwords, cookies and personal info are logged. Scary stuff!

[MichaelGG]

Probably don't even need a short domain. Facebook.login.secureauthredirectsystem.moregibberish.com probably would seem sorta legit. After all, Microsoft's auth systems do crazy stuff like that. So does the moronic Verified by Visa system - it's something like "ww2.secpayment.com" and looks totally sketchy but it's legit.

[voltagex_]

So does MasterCard (for "3D Secure" 2 factor auth) - I had to do a whois/traceroute on the domain before I trusted it the first time.

[huntaub]

Can you clarify the first point more? I would assume that if the user is able to connect to "facebook.com", then the connection would immediately go to HTTPS and the router could not "forcefully redirect" or do anything to the connection.

Alternatively, I could imagine a situation where the router hijacks the _DNS_ request for Facebook to a malicious site. Is that what you were referring to?

[smtddr]

Don't know if this works still today... but I've definitely used it before: http://www.thoughtcrime.org/software/sslstrip/

[domenicd]

I think that attack is exactly what HSTS (https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) is meant to solve.

[cbsmith]

HSTS and bookmarks... along with settings increasingly built in to a lot of browsers should make it all but impossible to MITM facebook.com.

There is a bit of a weak link with DNSSec, but in truth there are WAY easier ways to get someone's Facebook ID once you can spoof traffic to them.

[Sami_Lehtinen]

You can't redirect https traffic to http, without having valid certificate. But of course with all these CA problems, it could be possible to arrange one. It's then another story, if users use http -> https recirection in first place. Due to leaving the https prefix out from the url when connecting the site very first time. That's immediate security fail, but it's up to users to get this straight. HSTS won't help because due to privacy mode, all data between browser sessions will be purged, including HSTS data. Any failure to purge any data between sessions, could break privacy, because then it's known that you have already visited that site. But these questions are quite complex. Which is best configuration for each situation needs to be very carefully considered. I personally like DANE, if I would be running any serious service, I would configure it. Some of my friends have already done that.