First of all thanks for being approachable. I did ask a question (may be a stupid one) on Udemy once and you answered it the next day. It definitely gave me confidence and hence here I am asking another one.
I am unable to visualize the situation in the below case. Please clarify!
In case of an SSL Stripping situation, the attacker is in the middle of the traffic of our network. As you had mentioned, it waits for the one of two events (302 redirect or visiting the website through a link). So, when we send the original HTTP connection, the server rejects it, saying “This should be an HTTPS connection” and sends it back to the client. Here, I have a couple of questions:
Does the SSL Stripping apply for TLS? If it does not yet, is it possible, considering TLS uses an improved security as compared to SSL?
When does the attacker exactly strip away the HTTPS and changes to HTTP? Does it happen when the server has sent the response stating 'It should be HTTPS" or Does it wait till the client sends another HTTPS request to the server, the server verifies, the client and the server establish an asymmetric encryption to authenticate, the key exchange process happens with the symmetric algorithm in place, data exchange happens through Hash and MACs, and then the attacker starts intercepting our activities?
If it is the second case and if it is applicable for TLS, how does any attacker crack the above four (I am assuming MACs have it too) algorithms in place in such a short period of time?
Or is it possible it doesn’t have to come to that? If a criminal is already in the middle of a network traffic (and I believe that is possible if the server has sent the response to establish an HTTPS connection but it never reaches the client), he may be already intercepting and possibly, changing the keys exchange between the client and the server and hence he doesn’t have to crack any algorithm at all.