How does sslstrip work?
I've been reading up on SSLstrip and I'm not 100% sure on my understanding of how it works.
A lot of documentation seems to indicate that it simply replaces occurrences of "https" with "http" in traffic that it has access to. So a URL passing through such as "https://twitter.com" would be passed on to the victim as "http://twitter.com".
At this point does SSLstrip continue to communicate with Twitter via HTTPS on our behalf? Something like this:
Victim <== HTTP ==> Attacker <== HTTPS ==> Twitter
Or is it just the fact that the client is now communicating with Twitter over HTTP that gives us access to the traffic?
Victim <== HTTP ==> Attacker <== HTTP ==> Twitter
My guess is it would be the first option where the Attacker continues to communicate with Twitter via HTTPS as it is enforced by Twitter but I would just like some clarification.
You should watch Moxie Marlinspike's talk Defeating SSL using SSLStrip. In short SSLStrip is a type of MITM attack that forces a victim's browser into communicating with an adversary in plain-text over HTTP, and the adversary proxies the modified content from an HTTPS server. To do this, SSLStrip is "stripping" https:// URLs and turning them into http:// URLs.
HSTS is a proposed solution to this problem.