This blog is going to try to explain why it’s imported to have an SSL certificate on your websites. What this blog is not, is a tutorial for arp-spoofing or dns-spoofing.
What does an SSL certificate even do? To put it simply – It encrypts data. Why is encrypting data important? Because no matter what website you visit your data is hopping around servers trying to find its way back. You can test this on your window machine by opening up a command prompt and typing tracert hostname.
Now this is where the hacker starts having their fun. I’m going to show an example of arp-spoofing and not dns-spoofing. That being said, arp-spoofing is still a threat as much as dns-spoofing; the difference is arp-spoofing only works on things like public Wi-Fi (yes – your local Starbucks, McDonalds, etc…) and local network and arp-spoofing uses MAC-Address(not apples computer) to pull the attack off, instead of IPS address which is what you are seeing in the above image.
I’m going to show you an attack that works on a website that has an SSL certification, but was set it up wrong in my opinions. Capital One is known for this flaw, the images below is the hacker’s computer.
The image below is the victim’s computer.
Notice two things there is no green lock and the web address use http and not https. Here the problem with this where the image below, I now know the victim’s username is old hack and password is old password.
If capital one installed the SSL certification and force https, I wouldn’t be able to read that code because it would be encrypted. Before you start freaking out, I do have a couple of good news this attack was performed on internet explorer a dying web browser for good reasons and newer browser like chrome, edge and Firefox seem to have caught this hack here is what Firefox look like.
Firefox straight up told me this site wasn’t secure two years ago it didn’t do this. When I try on google chrome it wouldn’t let me load the page at all. Another good news most hosting site configure their servers to not allow http and to make sure https is carry over with encryption, otherwise you get a warning messaging like this.
I was only able to find Capital One with this flaw as of right now. Here what Capital One should of look like if the connection is secure.
Last thing, a common mistake made (me being one of them) is not seeing the green lock and seeing a I and assume the site is unsecure. Before freaking out and leaving the page, click on the I a small window should pop up and straight up tell you if the site is secure or unsecure. There are couple reasons why you are seeing the I and not green lock first and most commonly is the site has some mix-content meaning some parts are encrypt and other are not encrypt mainly being images. Seconds reason is the site used to use http but has been update to https and using the SSL certificate and on a is pulling the SSL info from it cache but eventually this problem fix it self. And another reason is the site is not secure and then you should leave that page.
To sum thing up, use a SSL certificate and force https also make sure you not using internet explorer.