Yes I love this feature
You’re not ever using HTTPS. You’re connected to my server, not the real one, and I’m only using HTTP. You can enable “Always use secure connections” in your browser so you get a warning, but unfortunately even major browsers don’t have it enabled by default, and even then, it won’t actually stop you
Your browser doesn’t know you were downgraded because you were only ever using HTTP with my server
What do you mean “visiting HTTPS”?
I’m not sure what your obsession with YouTubers is about that you’ve mentioned it like 3 times, but I highly doubt they are telling people the reason they should sign up for NordVPN is so they can mitigate the risk of an evil twin SSL stripping attack if you’re visiting a site that hasn’t implemented HSTS
Can you allow location permissions to all the time for the VPN app? I believe all the time is required for WiFi network listings.
There is also HSTS that allows the site to say “I will always send HTTPS” and works in principle of “trust on first use”. Considering that most people always access generally the same sites, if you try to do a downgrade you will receive scary warnings that should give a careful user at least a pause.
But definitely not a 100% solution.
https://google.com would not redirect to http://google.com
I did that, no luck. Probably one of those strange bugs that never get resolved😅
I’m still on A14 on P8 if it matters
It’s a very good solution, the problem is that only 60% of the top 1000 sites have adopted it, and that rate just keeps dropping as you go down the list
That’s not what happening. After you have connected to my rogue AP, I control your HTTPS request now. In the URL bar, your browser will display the initial request, which would be https://google.com.
However, I intercept that request, your request does not make it to Google. I send my own HTTPS request to Google, this one IS established, and then when I receive the reply from Google, I forward the now unencrypted response back to you using HTTP. So you get served the same content as if you visited https://google.com directly, but your reply back, maybe filling in a form, will go back to me, and it will not be encrypted because the connection between you and me is using HTTP.
The address bar maintains the initial HTTPS URL throughout the session, even though each request and response from this point onward uses HTTP.
You certainly couldn’t speak for yourself so that’s probably the right move
The browser bar will show HTTP not HTTPS, plus this would be prevented by HSTS.