Created
June 8, 2016 12:30
-
-
Save JoshCheek/386d2498cb86436387c1670b198192dd to your computer and use it in GitHub Desktop.
SSL Strip: Man in the Middle
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Note 1: | |
"cpez" represents an encrypted body bc | |
"cpez" == "body".chars.map(&:succ).join | |
Note 2: | |
:80 means "port 80", ie HTTP | |
:443 means "port 443", ie HTTPS | |
SSL Strip (I think): | |
Browser MitM Server | |
| -- GET :80/ -> | -- GET :80/ -> | | |
| | <- 302 :443/ -- | | |
| | -- GET :443/ -> | | |
| | <- 200 cpez -- | | |
| <- 200 body -- | | | |
My hypothesis: | |
Server could track your public key from previous logins | |
then when MitM tries to handshake, server could realize | |
that the key is different. IDK if this will work, b/c | |
there's no reason to think you can't change your key | |
(eg probably changes across browsers / devices) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment