Sounds like we were always on the same page... I never said an attacker can't do... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		steakejjs on April 4, 2015 \| parent \| context \| favorite \| on: The lack of HTTPS at Amazon: identifying items pur... Sounds like we were always on the same page... I never said an attacker can't do this. I'm saying an attacker can't do a s/https/http and have a user end up at an HTTP login page, where the attacker can sniff credentials.

nitrogen on April 4, 2015 | [–]

The attacker operates the http login page as a MITM. If they can mangle http traffic, they can run a full MITM.

coderzach on April 4, 2015 | [–]

yes they can. They make the secure login connection, and terminate it themselves, then route what they received along to the user with s/https/http.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact