Why do “Unsecure connection” warnings in modern browsers don’t work against SSL Strip?

Question

May be this one can help you [http://security.stackexchange.com/questions/41988/how-does-sslstrip-work][1] [1]: http://security.stackexchange.com/questions/41988/how-does-sslstrip-work — overshadow, Dec 07 '14 at 16:53

score 1 · Answer 1 · edited Mar 17 '17 at 13:14

You should watch Moxie Marlinspike's talk Defeating SSL using SSLStrip. In short SSLStrip is a type of MITM attack that forces a victim's browser into communicating with an adversary in plain-text over HTTP, and the adversary proxies the modified content from an HTTPS server. To do this, SSLStrip is "stripping" https:// URLs and turning them into http:// URLs.

HSTS is a proposed solution to this problem.

Answer From How does SSLstrip work?

Why do “Unsecure connection” warnings in modern browsers don’t work against SSL Strip?

1 Answers1