0

From what understand, SSL-Strip sits between the target user and the server, establishing a HTTPS connection between itself and the server, and an unsecured, plain old HTTP channel between itself and the target user.

What confuses me is, in a video demo of the tool, one of the prerequisites was an SSL certificate.

Why is the certificate required? Can't the "computer proxy acting as a fake user" send the plaintext back to the user without one? In fact, it seems the only reason a signed SSL certificate would be required would be if the middle-man sent back HTTPS encrypted data back to the user.

Improve this question
1

1 Answer 1

Reset to default
2

SSLStrip can work of one of two ways:

It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.

The video is talking about the latter. So you can still use HTTPS, but try to fool the victim into going to https://www.gmail.attacker.com. Where the attacker owns a valid SSL cert for *.attacker.com. A valid SSL cert isn't required if you're simply replacing https links with http links. i.e. https://www.gmail.com with http://www.gmail.com

http://www.thoughtcrime.org/software/sslstrip/

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.