1

It's there a way to bypass https (using mitm attacks) on browsers like chrome, firefox, etc?

I know it could be done in some way, exploiting the NTP port, but we need the interaction of the victim. And for this interaction to happen we need a dns spoof, which we can't do because all the modern browsers are patched against this attacks.

So it's there a way?

VladiC4T
  • 389
  • 4
  • 8
  • 1
    Are you asking theoretically, or are you asking about an existing known exploit? – Daniel Pryden Jan 21 '18 at 18:40
  • 1
    What do you mean by bypass? Are you asking if it's possible to downgrade an HTTPS connection? – Arminius Jan 21 '18 at 18:46
  • Well, Both a theoretically explanation and a exploit will be great. With bypass I mean using a mitm attack to sniff the packets of the victim bypassing https on modern browsers. – VladiC4T Jan 21 '18 at 18:52
  • 4
    Many large organisations install a certificate in the browsers so that they can read the contents of all HTTP traffic as it leaves their network (data loss protection). The traffic is still HTTPS, but it gets sniffed anyway and the user may never know (they are supposed to be informed by the employer) – schroeder Jan 21 '18 at 18:55
  • 1
    Ok. I did a test on my lab using a mitm attack and it didn't worked because I think all the scripts nowadays are useless against the browsers; I can't sniff the packets. I'm right? I hope my questions are understood... If not then I will just keep learning without any help and just then "ask" a understandable question.... If someone don't understand what I'm saying, sorry for my ignorance, just let me know. – VladiC4T Jan 21 '18 at 19:06

1 Answers1

1

This depends on the capabilities of the attacker and the target website. If the target website was never visited by the victim with the current browser or if the target site did not employ HSTS then attacks using sslstrip are still possible.

Beyond that stealth MITM-attacks are still possible if the victim has a CA installed as trusted on its system where the private key is known to the attacker. This could be certificates installed by the vendor, like in the case of the SuperFisch software installed by Lenovo or the CA certificate installed by Dell. Usually such known compromised CA certificates are blocked but the recent disaster with a software for secure communication between lawyers shows that even large vendors are still unaware of these problems and thus will install new CA certificates on the system with a badly secured private key. And such CA certificate could also be installed by (often ad-injecting) malware, like in case of the recent OSX/MaMi malware.

Apart from that there are attacks possible using browser extensions which simply bypass breaking HTTPS since they have access to the plain traffic. In the past multiple innocent browser extensions changed their behavior and went rouge, like described in When Browser Extensions Go Rogue.

And then of course the attacker might use vulnerabilities of the system or use social tricks to make the user install some malware, which might install a new browser extension, hijack the browser or just replace it. This way the attacker too gets access to the plain traffic.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Wow. Incredible information!! I didn't know all this stuff! Okay, you said that it depends on the capabilities of the attacker and the target website; but, I was reading the HSTS link that you post on the answer and it's there a way to bypass hsts? Could someone make a script to change the hsts domains or modify the codes? Or something similar to start sniffing the packets? Because I did a test on my lab and I was unable to bypass hsts with some sslstrip scripts; and I used different tools. Thanks! – VladiC4T Jan 22 '18 at 14:44
  • @VladiC4T: Once the browser knows that the site should be accessed by https only, sslstrip will no longer work. All the other attacks will still work though. – Steffen Ullrich Jan 22 '18 at 14:58
  • Ok! Dankeschön! – VladiC4T Jan 23 '18 at 12:09
  • @ Steffen: If the attacker does not have any malicious software (no malicious CAs or extensions or malware) on the targets computer meaning that the target's computer is clean then the only possible way to see his traffic is through sslstrip? Is that correct? But if that happens then the target will see that the connection is unsecure. So if someone is using a clean computer and they have an encrypted connection then they can be sure that no one is listening to their traffic? – Linux_user0987 Nov 26 '19 at 19:04
  • @Linux_user0987: *"... listening to their traffic?..."* - Of course someone can __listen__ to the traffic but he cannot __decrypt__ the encrypted traffic. But he can still find out which sites the victim communicated with and how long etc. And there might be HTTP-only content included in the HTTP page (not all mixed content is blocked) and this content can be seen by an attacker too. And there is other traffic apart from HTTP and HTTPS, for example DNS which is encrypted by default. But please don't discuss the issue further here and instead ask a new question if you want more details. – Steffen Ullrich Nov 26 '19 at 19:53