[steakejjs]

No. SSL stripping is an attack where you prevent a user from upgrading to an HTTPS connection. That isn't possible here.

Many sites have multiple tiers of authentication. For example viewing items to purchase is over HTTP but to actually checkout or manage your account requires you to go to HTTPS and reauthenticate on an HTTPS login page. Always. After this you are kept on HTTPS for the trusted actions. Amazon only does shopping over http but trusted actions are all HTTPS.

This has been amazons authentication scheme for years and it is actually the same as googles (where Google does have http assets, they force a reauth before going to https only stuff).

The most an attacker could do is inject code on http pages, annoyingly add things to cart, purchase items with 1 click purchase (inject javascript that clicks the button) and eavesdrop on all items purchased (quite serious).

BUT they cannot perform SSL stripping if Amazon doesn't do any auth over HTTP. An attacker could do some phishing like attacks to try to convince the user to put their password in at the wrong time, though.

[pomfpomfpomf3]

An attacker can also replace an https:// login URL with an http:// one on a page sent via unencrypted connection. The http:// page can then be manipulated in any way.

[steakejjs]

Right, but you get a redirect to the https login page with an http login URL.

An attacker can attempt phishing with HTML/JS injection on a HTTP page but an attacker cannot get a user to be looking at Amazon's real login page over http.

I think the problem here is the term ``SSL stripping'' was used and it may be kind unclear what MITM attacks is actually encompassed by it.

The OP wrote ``An attacker can easily steal passwords with SSL Stripping''. If OP meant he can easily steal passwords by basically a s/https/http on all urls on the page, OP's wrong. The attacker needs to create their own fake login page, present it to the victim, and hope the victim falls for it

[ivanr]

Once the attacker hijacks the plaintext HTTP connection, she can pretty much do whatever she wants with the user. Of course, that's provided we're talking about a casual user, who isn't going to pay much attention to the HTTPS indicators.

Thus, the first leg of the traffic, between the victim and the MITM attacker is forever unencrypted. The second leg, between the attacker and the servers can be encrypted; it's not going to impact the attacker's capabilities in any way.

The attacker doesn't need to create their own fake login page, etc, because she can simply proxy all traffic from and to Amazon's servers.

[steakejjs]

Not all traffic. Amazon has a separate SecureOnly cookie for access to their trusted pages that isn't sent over HTTP. Without that cookie not all traffic can be proxied.

[ivanr]

If Amazon has any secure cookies, they're not going to affect this particular attack. The traffic leg between the attacker and Amazon's servers can be encrypted, which means that she will receive the secure cookies. Because the leg between the victim and the attacker is not encrypted, the attacker simply rewrites the cookies to remove the "secure" flag. Thus, from the perspective of the victim the cookies are not secure.

To summarise, the attacker injects herself into the traffic stream, fully controlling the Amazon side of the communication, and forwards traffic to the victim rewriting as appropriate. The account compromise occurs when Amazon asks the victim for the password (as they do before each purchase) and the attacker captures the password (because it will have been sent to her, rather to Amazon).

[steakejjs]

Sounds like we were always on the same page...

I never said an attacker can't do this. I'm saying an attacker can't do a s/https/http and have a user end up at an HTTP login page, where the attacker can sniff credentials.

[falcolas]

All the MITM has to do is relay the traffic to the correct secure location, passing the credentials passed via the compromised HTTP connection, and the user's entire account is compromised.

Remember: HTTPS does not ensure the identity of the client.

[steakejjs]

Relay what credentials from the HTTP connection ? There are none...

It sounds like you are talking about creating a phishing page and injecting it, hoping the user enters their credentials, and stealing them. I already said this was possible.