TIP
FIGURE 5-11. sslstrip is installed on the Pineapple
Click on Start and then click on the link titled sslstrip to see the output. On the Smart TV,
open up the web browser (most Smart TVs come with a default web browser; see your TV’s
instructions) and browse to http://gmail.com. Enter blah for the email address and password
and click on Sign in. Of course, the login attempt will fail, but notice the address bar of the
browser; the URL is still in the form of http (Figure 5-12). Try the same on a laptop that is not
on the Trust_Me network, and you will be redirected to an https link. This means that sslstrip
worked.
On your Linux laptop, you should see the actual captured credentials in the Output sec-
tion of sslstrip (Figure 5-13).
To protect from sslstrip, servers can enable HTTP Strict Transport Security (HSTS). This will make the
server issue an HTTP header with the string Strict-Transport-Security. When the browser sees
this, it will remember to make sure to always use TLS when connecting to the domain that issued the header.
The drawback of this is that if sslstrip is running for the first time, the browser won’t know that it must use
TLS, and the attacker can prevent the header from being passed along. To combat this, some browsers (such
as Chrome and Firefox) have included some well-known domains in a preload list, instructing the browser to
always connect to those domains using TLS.
152 CHAPTER 5: THE IDIOT BOX—ATTACKING “SMART” TELEVISIONS