Brain Dump

HTTPS

Tags
security networking

Is HTTP [see page 40, over] TLS. Because SSLs Record Protocol splits the data to be transferred into fragments and encrypts all of them, all the HTTP data (headers, and URL parameters) are encrypted by the TLS tunnel when sent over HTTPS.

See [see page 41, process].

Vulnerabilities

HTTPS can be vulnerable to man in the middle attacks, specifically attackers may be able to bypass HTTPS at the user level. The [see page 49, goal] is essentially:

Force the browser to fallback to HTTP and hope the user won't notice.

Note: A man in the middle attack targeting TLS/SSL encrypted communications can also be referred to as SSL stripping.

Essentially when the user enters a URL without a protocol name (HTTP/HTTPS) they would [see page 50, normally] be redirected to the HTTPS site (instead of the HTTP one) but in this case the attacker would [see page 51, receive the redirect] instead. The attacker can follow the redirect and form a HTTPS connection with the client but the client isn't redirected. The attacker instead outputs any of the responses from the server in decrypted HTTP. Essentially any of the clients requests are sent unencrypted to the attacker and the attacker can then forward them through the encrypted channel.

The thing to consider with this attack is who is encrypting the traffic?.

Countermeasures

  • Spot the browser telling you it's insecure (often in the address bar)
  • Notice the missing s in the URL
  • Install a browser plugin that rejects any HTTP communications. HTTPS or nothing (many modern browsers seem to be going in this direction).
  • HSTS