top | item 9321010 (no title) steakejjs | 11 years ago Sounds like we were always on the same page...I never said an attacker can't do this. I'm saying an attacker can't do a s/https/http and have a user end up at an HTTP login page, where the attacker can sniff credentials. discuss order hn newest nitrogen|11 years ago The attacker operates the http login page as a MITM. If they can mangle http traffic, they can run a full MITM. coderzach|11 years ago yes they can. They make the secure login connection, and terminate it themselves, then route what they received along to the user with s/https/http.
nitrogen|11 years ago The attacker operates the http login page as a MITM. If they can mangle http traffic, they can run a full MITM.
coderzach|11 years ago yes they can. They make the secure login connection, and terminate it themselves, then route what they received along to the user with s/https/http.
nitrogen|11 years ago
coderzach|11 years ago