0

I saw this video where news reporter is in public place, and some security expert demonstrates to her that even though she logged in at page which was using https that guy got password in his computer.

How that might work, any ideas? I can't find video, but video didn't have any more details or words to go over beside that be careful using any other free wifis. It was published little bit before olympics in russia.

I thought https was secure, but he showed on screen the password she had written in login form.

Muhammad Umer
  • 715
  • 7
  • 10
  • 4
    Could be that he was executing a MiTM attack, and either the device didn't fully validate the certificate, or the user ignored the warnings it generated... – Clockwork-Muse Sep 20 '14 at 06:41
  • 4
    Without more information (in particular, the video in question), there's no good way to answer this. – Mark Sep 20 '14 at 07:19
  • 1
    Possible duplicate: [_Is visiting HTTPS websites on a public hotspot secure?_](http://security.stackexchange.com/q/1525/38377) – IQAndreas Sep 20 '14 at 07:47
  • after searching with all terms i could think of, i can't find that vide for life of me. It's so frustrated. Anyways, the question linked as duplicate says "no". Unless certificates are forged. As is the case in this video, which is note not the video i watched in feb. http://www.kare11.com/story/local/2012/02/02/3717231/ In original video reporter just signs into some site, and other guy has password in his cli interface. – Muhammad Umer Sep 20 '14 at 20:02

1 Answers1

0

Is this the video you're referring to?

If the site does not have HSTS (HTTP Strict Transport Security) enabled then I believe you can capture login information without generating a certificate warning using software like SSLstrip.

SSLstrip does not bother forging a certificate; instead, it removes SSL entirely. Many webpages are accessible via both standard HTTP and secure HTTPS, but the standard HTTP page redirects to the HTTPS version. SSLstrip works by watching for these redirects, and then blocks it to make sure the victim goes to an HTTP version of the login page. If the attacker wants to keep the padlock symbol, he can redirect the victim to a fake login page on his own server that uses HTTPS.

To protect yourself you should always look at the address bar to make sure that HTTPS is actually in use when you expect it to be, and that the URL of the site matches what you were expecting. Also take a look at HTTPS Everywhere.

See How to thwart sslstrip attack?

tlng05
  • 10,324
  • 1
  • 34
  • 36