0

Is there a point in being MITM nowadays since HTTPS makes it impossible to make sense of sniffed data and HSTS prevents SSL stripping?

  • Just like with other things like SQLi - there are technologies around that mitigate or prevent an attack altogether... but the attacks aren't dead because programmers don't use the technologies. Maybe they're lazy, maybe they have maintain compatibility with legacy software. There's also the chance that there are novel MitM techniques yet to be developed, the same way that XSS has morphed over the years. – Fire Quacker Feb 15 '22 at 20:17
  • There is more to life than HTTP, especially in enterprise environments. –  Feb 16 '22 at 01:44
  • You've made 3 assumptions: 1. there is only HTTP, 2. all HTTPS sites/browsers use HSTS perfectly, and 3. being in the middle only has value if you can read the data. All of these assumptions need to be confirmed. – schroeder Feb 16 '22 at 10:04

2 Answers2

1

HSTS simply informs the browser that it should only access the site by HTTPS and not by HTTP. It does this using a response header that the site serves when the user's browser connects to the site. The site owner can petition to have the site listed in an HSTS preload list that some browsers will load. So, in order for HSTS to be effective, the user must have visited the site previously, or the site must be in on HSTS preload list that the user's browser loads.

So, even with HSTS, there is still an opportunity for an attacker to pull off an MITM attack - if the attacker can manage to get a certificate for the site signed by a CA that the user's browser trusts, or dupe the user into trusting the certificate.

And, even if the site is configured to send the HSTS header, the attacker may also be able to pull off an sslstrip attack, if the user has never connected to the site before, and the site is not on an HSTS preload list that the user's browser loads.

mti2935
  • 21,098
  • 2
  • 47
  • 66
0

You forgot one vector: the certificate.

If the attacker have the capability of issuing the certificate of the target domain, he can still intercept and modify the data.

Public CA certificates are well protected, and issuing a fraudulent certificate is very unlikely, but not impossible. CA security failures ave happened in the past, and will continue to happen.

The main issue is when the victim is on a corporate network with mandated HTTPS interception in the proxy. Almost all security solutions dealing with HTTPS will terminate the original TLS connection on the border, analyse the contents, and create a certificate on-fly with its own CA certificate. If the attacker manages to compromise this certificate, he is in position of MitM every connection.

HTTP Public Key Pinning was intended to fix that:

HTTP Public Key Pinning (HPKP) was a security feature that used to tell a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. It has been removed in modern browsers and is no longer supported.

It was a good idea, but several devastating attacks employing HPKP turned it more into a liability than an asset, and currently no browser uses it anymore.

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149