[abalone]

I've had a ton of respect for Marlinspike ever since he published sslstrip, an incredibly simple defeat of HTTPS.[1]

It's a perfect demonstration of the fundamental insecurity of the web thus far. When an insecure communication mode (HTTP) is the default and perfectly ok most of the time, the browser has no idea when you are supposed to be operating on a secure channel (HTTPS) but have been tricked into downgrading by a man in the middle attack.

I can't prove it but I believe his work is a significant factor behind the shift towards deprecating HTTP in favor of HTTPS all the time. That is the only real solution.

[1] http://www.thoughtcrime.org/software/sslstrip/

[juhanima]

> the browser has no idea when you are supposed to be > operating on a secure channel (HTTPS)

Agree about the sentiment, but there are some ways to help this. The server can for instance tell the client to always require https:

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Doesn't help if the client hasn't yet connected to the right server at least once, though.

[tzakrajs]

Also, the browser can opt into HTTPS by using a plugin such as HTTPS Everywhere.

[tedks]

All of these defenses post-date sslstrip/sslsniff, and if you look at mailing list conversations in the early days of HTTPS Everywhere, you can see that it was developed as a direct response to these attacks.

[abalone]

All HTTPS all the time is the only real solution. Both those band aids rely on distributing rules to browsers describing when to use HTTPS with what sites. That is totally unscalable, not to mention only as secure as the ruleset distribution channel.