Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
sslstrip why it works for me and not for gmail and rest?
Posted by: lazer
Date: January 24, 2012 11:04AM

I need help understand the dynamics of sslstrip attack against ssl certs. I'm using it test the security of a site which is in my ownership. I can successfully sniff the vicitim credentials over the internet but when the same attack happens over the in case of gmail or live msn i get no stuff back its completely static in that case.

Does it means their ssl is secure and mine is not? Like the rogue ssl cert generated by sslstrip is caught and blocked by their ssl cert security and mine is like configured in a insecure mode?

WHAT i need to do to prevent my site from such attacks.Thanks

Options: ReplyQuote
Re: sslstrip why it works for me and not for gmail and rest?
Posted by: Albino
Date: January 24, 2012 01:49PM

I'm pretty sure it doesn't work by generating a rouge ssl cert. It simply re-writes https links to http. To project your site from it you'll need to configure the server/pages to redirect http requests to https. Adding the 'secure' flag to cookies should help, too.

Options: ReplyQuote
Re: sslstrip why it works for me and not for gmail and rest?
Posted by: lazer
Date: January 24, 2012 11:36PM

Well its not me who said anything about the rogue stuff. Its the author himself.You can check the link over here.
www.obnosis.com/SSLstrip.ppt

Or i'm just confused about the whole stuff.

Options: ReplyQuote
Re: sslstrip why it works for me and not for gmail and rest?
Posted by: lazer
Date: January 25, 2012 01:05PM

a more generous discussion is being followed on here
http://security.stackexchange.com/questions/10989/how-to-thwart-sslstrip-attack

I feel the change in fingerprint and also to say mismatch public cert creates a second fingerprint a HASH value which is different when its compared using this second public certficate. Its not a rogue but its just another copy of the server public cert sent via attacker.

Options: ReplyQuote


Sorry, only registered users may post in this forum.