Another MitM attack using the browser's inability to force you to only use SSL for a given domain. We need a function in our browsers to specify domain XYZ only should use SSL. I know it sounds ghetto, but I would love to force domains matching "ssl.* . *" in my browser to only work with strong SSL on port 443 and nothing else (by default).
I know, why not just use https:// ? But it's hard to train users to act a different way and understand what's going on under the hood when they leave out a single letter in the protocol prefix. Just giving them a new address which they type in verbatim anyway seems like an easier fix. Plus, you disable all unencrypted connections for that domain and you don't need to worry about complex attacks like the current one and previous ones.
But besides that, as I understand it, this attack doesn't require an HTTP request to the victim site; it only requires an HTTP request to any site, followed by an HTTPS request to the victim site, so STS wouldn't be much help here unless all websites turn on SSL and adopt STS. (Though someone should correct me if I'm wrong.)
This vulnerability works by injecting HTML and JS purporting to be from a plaintext version of the site being attacked. In other words, the browser has to accept non-SSL pages from the domain. If your browser just threw away all unencrypted requests for the domain this would never work. Neither would sslstrip or a handful of other tools; the improper handling of SSL certs would have an impact, however.
I could have read that draft wrong but it looks like it depends on headers from the victim site to determine if all traffic should be encrypted. MitM would defeat this.
I know, why not just use https:// ? But it's hard to train users to act a different way and understand what's going on under the hood when they leave out a single letter in the protocol prefix. Just giving them a new address which they type in verbatim anyway seems like an easier fix. Plus, you disable all unencrypted connections for that domain and you don't need to worry about complex attacks like the current one and previous ones.