Why doesn't Google login enforce ssl redirect at the server end?

Asked May 14 '17 at 05:11

Active May 14 '17 at 05:11

Viewed 38 times

I was playing about with ssl strip against an ie8 target, just for learning more about it. To my surprise I was able to capture the credentials of the ie8 victim when signing into Google accounts.

I can understand that ie8 doesn't support something like HSTS, but what I don't understand is why Google are even offering a HTTP version of the login form? Surely they should just redirect any request for this page to HTTPS with a redirect rule in the server itself and the problem would be solved regardless of the browser the user is using.

asked May 14 '17 at 05:11

fpghost

1

Please look at How does SSLstrip work? and you'll see that the connection between the attacker and google is HTTPS, only the connection between the victim and attacker is HTTP. Thus your assumption in the question of the connection to google being HTTP only is wrong. – Steffen Ullrich May 14 '17 at 05:21
Ah, thanks. I see. If you want to make that an answer I accept. – fpghost May 14 '17 at 05:32
I don't think an answer is needed since the answer is already in How does SSLstrip work?. This means I consider this question a duplicate and hope it gets marked as such. – Steffen Ullrich May 14 '17 at 05:35

Why doesn't Google login enforce ssl redirect at the server end?

0 Answers0