At my NDC Oslo talk today, I showed how to downgrade HTTPS to HTTP on Skandiabanken. It was with the kind permission of the people at Skandiabanken and I would like to express my thanks for that.
The attack I used is a very narrow attack and doesn’t not compromise the bank’s security because of the excellent security that they have implemented but it does show the vulnerability of the underlying network.
The main lesson for people is to keep an eye on your browser because as you saw, the browser showed the correct site but address was webskandiabanken.no.
If you are a regular user of the bank website you should be ok due to the way attack works, as for it to work, you must not have visited the bank in that browser before.
Again, many thanks for their kind permission.