Hacker News new | past | comments | ask | show | jobs | submit login

Yes. It appears that since KRACK can allow the attacker to hijack a TCP handshake that they could potentially downgrade an HTTPS connection where HSTS is not used, but that shouldn’t affect your VPN connection.



To be clear, if a client makes an HTTPS request, you cannot downgrade it to HTTP, even if you're in control of the TCP socket. You can only hijack connections that are initially made over HTTP.


In fact, you can, using sslstrip. It was demonstrated in the video, as well as in this article: https://arstechnica.com/information-technology/2017/10/sever....

I think this will only work against android/linux clients, since in that case the attacker actually knows the key, and can perform a proper MITM.


You cannot. sslstrip exists to attempt to work around the fact you can't directly downgrade HTTPS to HTTP.

In that video, because HSTS isn't used on match.com (unfortunate), the browser doesn't attempt to make an HTTPS connection at first. Obviously, if you have control of that TCP connection, you can do whatever you want. The browser is oblivious to HTTPS existing.

Also, be careful not to confuse the layers here. The encryption algorithms in WPA2 are completely unrelated to TLS/HTTPS. TLS is... somewhere in the OSI model, but it's well above WPA2/packet handling, and TLS can/does work with a compromised network.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: