Transparent for an "occasional" user. An "advanced" user might notice that the connection use HTTP and not HTTPS.Originally Posted by abraoximenes
If the attacker use sslstrip with "-f" option, an advanced user might notice the unusual favicon.
Notes: sslstrip doesn't works if
- the client requests an address with HTTPS directly, for example HTTPS://www.example.com;
- the web site have the support for HSTS, that forces a browser to solely interact with the server using HTTPS;
- the client is a smartphone AND the user use an app (app like gmail, facebook etc. works only with HTTPS). I guess is not so for all applications...;
* notes by http://blog.csnc.ch/tag/sslstrip/
"The very initial request to a HSTS web site may still be http and thus exposed to a standard Man-In-The-Middle attack (Bootstrap MITM). In that phase, an attacker could tamper with the HSTS response header and inject invalid subdomains (DoS), disable HSTS (set max-age to 0) or poison the HSTS cache of the user agent otherwise. However, wrongly stored HSTS policies can be simply removed by clearing the local browser cache."
* HSTS: "HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers." (https://www.owasp.org/index.php/HTTP...sport_Security)
Useful install "HTTPS Everywhere" an extension for Firefox and Chrome (https://www.eff.org/https-everywhere).
