Sslstrip Issue

[Sleven]

Anyone experience this issue with SSLStrip? Also still posting pages in HTTPS. Eth0 pineapple/Wlan0 Pogoplug

[Mr-Protocol]

There was a counter measure to SSL Strip that was implemented after Moxie had released it. Not sure what it is called, don't remember. You could be running into that though.

[Sleven]

There was a counter measure to SSL Strip that was implemented after Moxie had released it. Not sure what it is called, don't remember. You could be running into that though.

Forgot to add my test environment. Victim --> Backtrack 5 R1 Attacker--> ARMv5 XFCE. Victim attempting to access gmail via mozilla firefox 9.0.1.

[Mr-Protocol]

Gmail has a way to avoid sslstrip, it has HSTS (Just had Moxie confirm what it was called).

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

[PineDominator]

Gmail has a way to avoid sslstrip, it has HSTS (Just had Moxie confirm what it was called).

http://en.wikipedia....nsport_Security

that is good thing? lol

I just had a sick idea for a prank exploit.

create a tool that adds HSTS headers to every web page request, that way the persons browser is essentially useless on those pages that can't serve up https.

I wonder if you could even speed it up by adding 10s or 100s of sites into one page owning multiple in one go.

[Sleven]

Gmail has a way to avoid sslstrip, it has HSTS (Just had Moxie confirm what it was called).

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Did some troubleshooting. Came up with some strange results. One my computer time was way off. Another was while using Backtrack 5 as a victim I was able to grab passwords for twitter and so on but not gmail. When I switched to Windows 7 as the victim. I could grab them all. Don't have a mac os to try yet. Thought it was kinda strange.

Edited February 21, 2012 by Sleven