[HTTPS-Everywhere] Sites that already enforce HTTPS

[Seth David Schoen]

Micah Lee writes:

> If the website in question forces https and uses secure cookies, a tool
> like sslstrip can prevent the redirecting to https and you might not
> notice. The attacker using sslstrip will still be making an https
> connection to the server, but you'll be making an http connection to the
> attacker.

They could also redirect you to an HTTPS site that they control with
a similar name to the site you intended to access, which acts as a
proxy for the latter.  https://www.paypa1.com/ would be a good example
for PayPal except that PayPal happens to control it; if they didn't,
an attacker could register it and then make requests to http://paypal.com/
appear to send a redirect to https://www.paypa1.com/.  There may well
be some persuasive names still available for this kind of attack on
some popular sites; see

https://secure.wikimedia.org/wikipedia/en/wiki/Homoglyph

Another gimmick used by phishers is to create an apparently regional
version of the site by adding some kind of geographic indication to
the name, like paypalus.com, paypal-de.com, paypalitalia.it, ... in
the SSL stripping case, an attacker could generate a redirect to the
secure version of a domain like this that was controlled by the
attacker.

(In real life, PayPal is the major proponent of HSTS, so they can hope
to achieve some protection against these attacks with the most modern
browsers.  But there are some sites that default to HTTPS that don't
use HSTS, and even HTTPS Everywhere users without an HSTS
implementation in their browsers at all, so I think there's still
going to be merit to having rules for sites in this situation.)

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107