One defense that host systems have against man-in-the-middle attacks on web servers is SSL encryption. You typically run into this when you access a sensitive service such as online banking or online shopping. Many browsers showcase that HTTPS is in place by displaying a little lock giving the end user a sense of security.
Thanks to a security researcher Moxie Marlinspike, this layer of defense can be bypassed using SSLstrip. SSLstrip works by proxying HTTPS requests from the victim and sending them using HTTP. The HTTP traffic is not encrypted, making it vulnerable to eavesdropping. Once SSLstrip forces the HTTP connection, an attacker can use tcpdump to view the unencrypted login credentials of people accessing accounts such as Facebook.
The HTTP Strict Transport Security (HSTS) specification was subsequently developed to combat these attacks; however, deployment of HSTS has been slow. Also, some businesses such as online banking are adopting the policy of not...