Hacker News new | ask | show | jobs
by steakejjs 4091 days ago
Sounds like we were always on the same page...

I never said an attacker can't do this. I'm saying an attacker can't do a s/https/http and have a user end up at an HTTP login page, where the attacker can sniff credentials.
2 comments
nitrogen 4091 days ago
The attacker operates the http login page as a MITM. If they can mangle http traffic, they can run a full MITM.
link
coderzach 4091 days ago
yes they can. They make the secure login connection, and terminate it themselves, then route what they received along to the user with s/https/http.
link