Wireshark is worth a couple of hours of play. It was quite a revelation to use it on a non https connection and watch myself transmit my password letter for letter in clear text :) Yes one can imagine how that is, but still, doing it is different.
Or, similarly, I set up an HTTPS proxy on my Mac, and set Wireshark to listen. Then, had someone else log in to a different account (say, the guest account) on the machine, and asked them to log into gmail, say, as usually via HTTPS (with a fake user/pass). A warning does pop up about "insecure connection", but most people just dismiss it and go ahead and log in - and wireshark intercepts username and password.
Classic MiTM, well known, but still freaky to observe how easy it is to set up.
Yeah for Gmail or some other big website. The real targets are usually the smaller corporate sites which are not in the preload list, but you wouldn't use those to demo with...
Well as long as the site has HSTS and the user had visited it at least once before the MiTM attempt.. But yeah a gazillion corporate sites won't have HSTS configured
In this case, the user runs the browser from a guest account - that the "attacker" controls. It would be prudent to start with a clean profile - so no "earlier" visits.
Locally-installed root CAs are allowed by HSTS, so if you added the HTTPS proxy to the root store, this would work without warning, unless you manually checked the certificate.
Of course, this only works on machines you're the admin of, which is why it's allowed.
You could but nobody will notice (no information about insecure machine). Here victim is being informed and should become suspicious.
Most of my friends doesn't know difference between http and https. These are some letters which show up in front of URL.
