[juhanima]

> the browser has no idea when you are supposed to be > operating on a secure channel (HTTPS)

Agree about the sentiment, but there are some ways to help this. The server can for instance tell the client to always require https:

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Doesn't help if the client hasn't yet connected to the right server at least once, though.

[tzakrajs]

Also, the browser can opt into HTTPS by using a plugin such as HTTPS Everywhere.

[tedks]

All of these defenses post-date sslstrip/sslsniff, and if you look at mailing list conversations in the early days of HTTPS Everywhere, you can see that it was developed as a direct response to these attacks.

[abalone]

All HTTPS all the time is the only real solution. Both those band aids rely on distributing rules to browsers describing when to use HTTPS with what sites. That is totally unscalable, not to mention only as secure as the ruleset distribution channel.