Hacker News new | comments | show | ask | jobs | submit login

deSSLify the connection on the fly

How is this possible?

Intercept HTTP requests that the target site tries to redirect to HTTPS. Then proxy the HTTPS connection. If the user doesn't notice that the lock icon is missing from the URL bar, then they're being effectively MITM'd (and anyone on the WiFi can see all their traffic).


  1. Alice enters "paypal.com" into her browser.
  2. Alice's browser issues a request to http://paypal.com/
  3. Mallory intercepts this request, and replays it.
  4. http://paypal.com redirects to https://www.paypal.com/
  5. Mallory's proxy fetches the Paypal content and returns it to Alice
  6. Alice sees "http://www.paypal.com/... in her URL bar without the green lock, but doesn't notice.
  7. Alice enters her password.
  8. Mallory steals all her money.
A response to this attack is the "HTTP Strict Transport Security" extension implemented by modern browsers, which, for sites that enable it, prevents the browser from ever even attempting a non-encrypted connection to the site, and also prohibits bypassing the SSL certificate warning page if an unknown/invalid certificate is presented by a MITM attacker.

I guess I'm one of the few people who always enter complete URLs, e.g. I would enter https://www.paypal.com, when I go to a site that I want SSL on.

I also do check that the lock is on, or for a site like a bank or paypal, that the address bar is green.

Do you want a cookie or something?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact