I saw this video where news reporter is in public place, and some security exper
ID: 659352 • Letter: I
Question
I saw this video where news reporter is in public place, and some security expert demonstrates to her that even though she logged in at page which was using https that guy got password in his computer.
How that might work, any ideas? I can't find video, but video didn't have any more details or words to go over beside that be careful using any other free wifis. It was published little bit before olympics in russia.
I thought https was secure, but he showed on screen the password she had written in login form.
Explanation / Answer
If the site does not have HSTS (HTTP Strict Transport Security) enabled then I believe you can capture login information without generating a certificate warning using software like SSLstrip.
SSLstrip does not bother forging a certificate; instead, it removes SSL entirely. Many webpages are accessible via both standard HTTP and secure HTTPS, but the standard HTTP page redirects to the HTTPS version. SSLstrip works by watching for these redirects, and then blocks it to make sure the victim goes to an HTTP version of the login page. If the attacker wants to keep the padlock symbol, he can redirect the victim to a fake login page on his own server that uses HTTPS.
To protect yourself you should always look at the address bar to make sure that HTTPS is actually in use when you expect it to be, and that the URL of the site matches what you were expecting. Also take a look at HTTPS Everywhere.