Internet Security, or lack thereof...

As I was looking around, I was given a link to this tool called sslstrip. Looking closer, I could see that the guy had a point, really! That is, his method works. Not only that, as you can see in the video, running the system for a day you can get the content of POST requests of over 100 passwords, credit card numbers, etc. with a single computer.

Although this requires you to have access to a local network to start the man in the middle attack, it looks quite simple to hack a so called secure website.

A few years ago, it was as simple as adding a certificate in the chain (duh!) and you could make it all look legitimate to the end user (to the URL and security, although if you were to check the certificate, it may look dodgy, but who does that?)

Now you need to do a little more work, but any site that starts with HTTP and later switches to HTTPS are vulnerable to this attack. Why? Because at the time the server switches, the man in the middle can keep the connection unencrypted on your end and thus receive your information in clear before forwarding it to the server who thinks that nothing bad has happened since as far as the server is concerned, it receives exactly what the user sends to the middle man.

Not only that, to the user, everything looks perfect since he receives all the files from the secure site as if the site had sent it straight to the user.