EvilZone

Hacking and Security => Hacking and Security => : m0l0ko June 03, 2012, 01:58:39 AM

: HTTPS Everywhere (Firefox addon) protects against SSLStrip attacks
: m0l0ko June 03, 2012, 01:58:39 AM

I'm practicing MITM attacks on myself (using a BT5 VM as the attacker) and I noticed that when I entered passwords into websites using opera, ettercap sniffed them but when I used firefox, ettercap couldn't sniff anything. I was trying to figure out why that was, then I realised that a plugin I have for firefox (its called HTTPS Everywhere) was forcing firefox to use HTTPS protocol, rendering SSLStrip useless. HTTPS Everywhere is a brilliant addon, it forces firefox to use HTTPS protocol wherever possible so you don't have to do it manually.

: Re: HTTPS Everywhere (Firefox addon) protects against SSLStrip attacks
: offensive June 03, 2012, 02:56:49 AM

i think sslstrip can capture your password. https everywhere is not problem

: Re: HTTPS Everywhere (Firefox addon) protects against SSLStrip attacks
: m0l0ko June 03, 2012, 03:02:22 AM

You sure about that? I tried get ettercap to sniff my username/password when I entered it into firefox but I couldn't get firefox to go to regular http pages at all, it just redirected to https.

: Re: HTTPS Everywhere (Firefox addon) protects against SSLStrip attacks
: Kulverstukas June 03, 2012, 08:12:58 AM

HTTPS use SSL protocol, so SSLStrip is a decoding program that strips encryption from captured data sent with HTTPS. If you couldn't get the password with SSLStrip then you were doing it wrong :D
I too use HTTPS everywhere I can when I am on public networks.