In my post last year I wrote about 'Protecting Your Data'. One topic I touched about protecting data while in transit.
Figure Illustrates a Rogue Wifi AP to Intercept Traffic
With the proliferation of free wifi hot spots everywhere, it is important to be mindful of your privacy and online security. Such 'hotspots' could be deliberately setup to lure you to connect for free Internet access with an intention to harvest credentials such as webmail, social media & online banking accounts. During my test of Wifi-pumpkin, not all websites were vulnerable to ssl stripping. For instance, some websites implement HSTS (HTTP Strict Transport Security), a mechanism that denies HTTPS traffic from being downgraded. However, there are still a significant number of websites that are vulnerable to this form of attack. Some online banking websites have taken added precaution by encoding/hashing user credentials prior to TLS transmission. Thus raises the bar for the threat actor that intercepts to decipher the symmetric key. It is worth to note that sslstripping is also browser dependent. I've tested some stock browsers on older Android models and it works like a charm. Surprisingly, Firefox on mobile and PC seems to be vulnerable to this attack too. Check out the video to see how sslstripping removes the SSL/TLS hyperlinks in a search query done on bing.com and google.com. It was noted that bing does not warn the user of the downgrade but google does. The learnings from here is to be careful of public wifi hotspots. Especially at airports, malls, cafe, etc. Always connect to a trusted vpn provider whilst using a public hotspot.
No comments:
Post a Comment