I was doing a video on how HTTP Strict Transport Security protects you from Man-In-The-Middle attacks and was using Google as an example. Turns out google.com isn't in the HSTS preload list, and just redirects to www.google.com which means HSTS is only set for www.google.com, not google.com 1/2 - ThreadSky

malwaretech.com • 112 days ago

I was doing a video on how HTTP Strict Transport Security protects you from Man-In-The-Middle attacks and was using Google as an example. Turns out google.com isn't in the HSTS preload list, and just redirects to www.google.com which means HSTS is only set for www.google.com, not google.com 1/2

Comments

diegobr03.bsky.social•112 days ago

Wouldnt this be considered a vulnerability?

oracularhades.com•112 days ago

they're so quirky like that.

joshwenke.com•111 days ago

Doesn't submitting a domain to the HSTS preload list force the includeSubDomains directive? Has Google just not submitted their domain to HSTSpreload? This seems so silly.

russ.garrett.co.uk•112 days ago

Apparently it's hardcoded (not preloaded) in Chrome, for some reason...

orpach.bsky.social•112 days ago

Probably so that really old browsers can still use the site.

malwaretech.com•112 days ago

As a result, if you were able to get someone to click a http://google.com link they've never been to before such as http://google.com?search=abc123 you should be able to just SSL strip the connection and Man-in-the-middle their searches and anything to the google.com base domain. 2/2

thomas.tmbarrett.xyz•112 days ago

I had to read this a couple of times and look at some things using ‘curl’.

Interesting. It doesn’t look good.

I know a lot of people de-googling because of their “AI” goals. So this could be a problem in the future as people may utilize Google again.

jpt.fyi•112 days ago

My uninformed guess to why this is:

When you’re in a captive portal, but not one that pops the special UI. Often folks (myself) type “google.com” into the address bar. The captive portal can actually serve up its page here. Not really a great reason, but I can understand it being a legacy decision.

benslayton.bsky.social•112 days ago

Captive portals are a pain in the ass. There has to be a better way

giveupalready.bsky.social•112 days ago

Http://httpforever.com

orpach.bsky.social•112 days ago

Special UI?
I think any OS/browser that prompts you to go to a captive portal implements that feature themselves by trying to load an unencrypted "connectivity check" page.

When that fails, I usually use https://example.com.

jpt.fyi•112 days ago

Yeah. The captive portal check usually triggers the browser or OS to open the captive portal login, but not always. Historically that didn’t work as well as it does now, and I still find some networks where I have to manually visit some plain http website to trigger it.

charadeur.bsky.social•112 days ago

Interesting. I have yet to see a real world example of someone doing a man-in-the-middle attack on a https site that didn't require someone ignoring the warning.

gune.ninja•112 days ago

I don’t have experience executing SSL stripping myself but I’m of the understanding that the attacker is able to intercept the redirect to upgrade to SSL (https) and instead keep them on an insecure connection where their traffic can be freely inspected/manipulated.

gune.ninja•112 days ago

Typically HSTS would prevent this, except for the first time unless on the preload list - which makes google[dot]com particularly vulnerable apparently

charadeur.bsky.social•111 days ago

Exactly. I think the only way is to get your own root certificate on their system so you can create certificates with any name. I'm not super strong with cryptography but I don't think we have quantum computers that can factor a root cert yet. I assume they will just make the key longer when they do

gune.ninja•111 days ago

I'm not sure you even need a cert for anything because I think the idea is that you keep them on a http:// connection despite the redirect to https:// because you're MITM'ing. You write the script to see the redirect before it hits the clients browser and rewrite it to stay http:// 😈

charadeur.bsky.social•111 days ago

I didn't think that was possible anymore but honestly not an area I am strong in. I do have a pineapple I have played with and honestly I can't make a man in the middle work for most things. Not like the old days where telnet passwords were in the clear.

gune.ninja•111 days ago

I still need to get a Pineapple. I got a LAN tap throwing star, a Flipper Zero, some security routers, rpis, etc - but nothing too fancy from hak5. I used to have a Rubber Ducky too but I gifted it to a buddy's kid to learn with

Comments

Posting Rules

Reply