Posts

Showing posts from August, 2018

Bettercap with SSLSTRIP attack - Does it still work ?

Image
For a long time, performing a MITM attack with SSLSTRIP was relatively easy to implement. This situation changed after websites had started to use HSTS (HTTP Strict Transport Security). Using SSLSTRIP alone is powerless against HTTPS websites which correctly implement HSTS. On the other hand, many websites on the Internet DO NOT configure HSTS correctly. This misconfiguration still leaves them vulnerable to MITM attacks using SSLSTRIP, in particular conditions. In this video we will test Bettercap and SSLSTRIP against different categories of websites. All the tested websites use HTTPS, but they differ in the way they implement HSTS: - The first category of websites have HSTS correctly implemented and the HSTS status for each website is also preloaded into the Internet browser. (The website's HSTS status is known by the web browser, before the first access.) The test sites in the first category are: facebook.com, gmail.com and twitter.com - The second category of websites hav