WEBVTT 0 00:00.420 --> 00:05.890 Let's go ahead and see what are the available attacks on a HTTPS. 1 00:06.060 --> 00:07.650 There are two known attacks: 2 00:07.770 --> 00:10.170 SSL Sniffing and SSL Striping! 3 00:10.170 --> 00:14.160 Let's take them one by one. 4 00:14.310 --> 00:18.570 ssl sniffing means performing a man-in-the-middle (MitM) 5 00:18.580 --> 00:20.860 attack on SSL traffic. 6 00:20.940 --> 00:28.260 The Hacker will run an ARP Spoofing attack to insert himself between the client which is the victim 7 00:28.500 --> 00:30.660 and the orignal web server. 8 00:30.720 --> 00:38.550 The hacker dynamically or on the fly generates certificates for the domains that are being accessed 9 00:38.670 --> 00:45.630 and use those spoofed certificates for the part of the connection between him and the victim. 10 00:46.790 --> 00:54.260 All traffic will be sniffed and seen in clear text. The victim's browser will recognize that the 11 00:54.320 --> 01:00.760 certificate is not authentic because it's not signed by an authority 12 01:00.800 --> 01:04.620 the browser trusts and will display a security warning. 13 01:05.120 --> 01:07.570 This is such a security warning. 14 01:07.730 --> 01:12.960 The certificate the server has sent to the client is not authentic. 15 01:13.990 --> 01:17.470 Now if the user that accepts the security warning 16 01:17.890 --> 01:22.630 Proceed to www.bbc.co.uk 17 01:22.630 --> 01:30.460 he will be hacked; the encrypted data will be decrypted by the hacker using the spoofed certificate and 18 01:30.490 --> 01:36.490 then sent to the destination web server encrypted using the original certificate. 19 01:36.700 --> 01:44.200 The attack will be transparent so the hacker will use two certificates: the good one for the connection 20 01:44.200 --> 01:52.320 between him and the web server and the spoofed certificate for the connection between him and the victim. 21 01:52.330 --> 02:00.130 This attack cannot be performed on any website, especially on big ones like Google.com or Facebook 22 02:00.160 --> 02:01.050 .com. 23 02:01.060 --> 02:09.970 These websites use HSTS and if the victim uses the latest version of any browser the browser will not 24 02:09.970 --> 02:17.320 accept a fake or a self signed certificate for those domains. In the next lecture 25 02:17.350 --> 02:20.690 I'll show you live an ssl sniffing attack. 26 02:21.000 --> 02:27.330 The 2nd known attack on HTTPS is called SSL stripping. 27 02:27.340 --> 02:35.530 This is also known as HTTPS Downgrade attack because it will try to downgrade HTTPS connections 28 02:35.800 --> 02:43.980 to their HTTP or unencrypted counterpart. Usually when you connect to a website 29 02:44.020 --> 02:53.110 you don't specify a HTTP or HTTPS, you just write the domain name like google.com and the browser 30 02:53.290 --> 02:57.070 connects to port 80 which is HTTP. 31 02:57.070 --> 03:06.310 Usually the web server uses redirects to take users to the HTTPS site and to ensure that they 32 03:06.310 --> 03:15.760 can’t reach the HTTP site. In an SSL stripping attack the hecker will manipulate the redirects and 33 03:15.760 --> 03:20.270 send the users to the HTTP, unencrypted site. 34 03:20.320 --> 03:27.610 Now the user is still on the site interacting as he normally would but every bit of data he transmits 35 03:27.820 --> 03:29.400 is in plain text. 36 03:29.400 --> 03:37.240 Note that SSL Stripping does not convert already established HTTPS connections to a HTTP. 37 03:37.360 --> 03:47.640 It only does this in the sense that you urls are rewritten from HTTPS to HTTP. Note that this 38 03:47.640 --> 03:51.700 is only a partial attack that does not work on any website. 39 03:51.720 --> 03:59.580 There are so many variables involved. HSTS domains are especially immune to this attack! 40 03:59.580 --> 04:08.250 In this lecture we've discussed about HTTP, HTTPS, HSTS and what are the available attacks. 41 04:08.550 --> 04:10.240 In the next two lectures 42 04:10.350 --> 04:15.690 I'll show you both an SSL Sniffing and an SSL Stripping attack.