0

I am quite confused. I have been reading about SSL stripping and what I have found is that

  1. The client (victim) has to initiate the first connection via HTTP
  2. The server will redirect to HTTPS - here is were interception and stripping occurs.

But I have also read articles where the first connection is an HTTPS connection.

I am slightly confused about this. In order for SSL stripping to work (forgetting about the HSTS for now), do we need a client initiating the first connection via HTTP or HTTPS?

Uses HTTPS Uses HTTP

schroeder
  • 125,553
  • 55
  • 289
  • 326
nachofest
  • 1
  • 1
  • The answers in the duplicate question also talk about the differences between how the victim initiates the connection. In short, both are possible. – schroeder Mar 05 '20 at 10:19
  • You are right, sorry @schroeder – nachofest Mar 05 '20 at 10:19
  • but from what I see, if the client initiates HTTPS connection, the only attack is an SSL MITM attack, which then "defeats the purpose of this attack". @schroeder – nachofest Mar 05 '20 at 10:23
  • It requires being in the middle anyway, yes. But if you can downgrade the connection to HTTP, you can carry out the SSLstrip style of attack. You could, of course, do other things, but that requires a bad cert that will trow warnings. – schroeder Mar 05 '20 at 10:27
  • So, original intent of the attack was to keep the HTTP connection HTTP and not "upgrading". But it is possible to downgrade, too, although it might not always make sense. Your question is about what *must* happen. the answer is that there are options. – schroeder Mar 05 '20 at 10:28

0 Answers0