I think LongOfTooth's solution will actually work just fine. The SSLStrip tool needs to get original information via unencrypted HTTP. If you never send any HTTP requests, and start from the beginning with HTTPS, you're safe from this attack.The danger of the SSLStrip attack is that if you *start* with HTTP and, from there, click on something that requests an HTTPS page, the MitM will *at that point* hijack the session and prevent your browser from connecting to the real server via HTTPS.So no, LongOfTooth, you're not missing something. Setting your bookmark to use HTTPS - effectively the same thing as typing in the HTTPS URL in the address bar - is a safe and simple way to prevent this attack. It's just that most people bookmark the HTTP URL, if they use a bookmark at all.
↧