Since their introduction to the commercial market, SSL Certificates have undergone several security enhancements and now boast an almost unbreakable level of encryption. However, the continuous SSL improvements haven’t discouraged cynical attackers to try and steal the encrypted data.
Even with robust security measures, a cyber threat known as SSL stripping looms over the Web, searching for the security vulnerabilities and loopholes in HTTPS configuration, ready to strike at the first oversight. This article explains what an SSL stripping attack is, why it’s dangerous, and how you can detect and prevent SSL stripping attacks from threatening your website and business.
Table of Contents
- What Is SSL Stripping?
- How SSL Stripping Works?
- What Are the Types of SSL Stripping?
- Why SSL Strip Is So Dangerous?
- How to Detect SSL Stripping?
- How to Prevent SSL Stripping?
What Is SSL Stripping?
SSL stripping is a cyber attack that targets secure communication between a user and a website. It takes advantage of the fact that most websites and online services use SSL/TLS encryption to protect sensitive information transmitted over the internet. An SSL strip attack downgrades a secure HTTPS connection to a non-secure HTTP connection, making it easier for cyber thieves to intercept and manipulate the data in transit between a web server and a client.
How SSL Stripping Works?
In 2009, Moxie Marlinspike, a well-known American computer security researcher who advocates the widespread use of strong cryptography and PET (Privacy Enhancing Technologies), spoke about the SSL strip for the first time at the Black Hat information security event.
To better understand how SSL stripping attacks work, let’s consider a scenario where a user wants to access a website via HTTPS. The user’s web browser initiates the connection by requesting an SSL certificate from the website. If the website’s SSL certificate is valid, the browser will trust it and allow visitors to access the web page.
However, in an SSL stripping attack, the attacker acts as a man-in-the-middle, intercepting the initial request and downgrading the connection to HTTP before it reaches the website. As a result, the browser is unaware of the attack and allows the hacker to intercept, read, and modify any data transmitted between the user and the website.
The attacker positions themselves between the user and the website via various means, such as a rogue Wi-Fi hotspot or a compromised network device. Then they modify the response from the website, removing any references to HTTPS and replacing them with HTTP.
Additionally, they may remove secure links, redirects, or other elements that enforce HTTPS.
Since the user’s browser now thinks the website is using HTTP, any subsequent requests made by the user, such as submitting login credentials or sensitive information, will be sent over an insecure connection.
What Are the Types of SSL Stripping?
Two common types of SSL stripping attacks exist: passive and active. Let’s dive into more technical details and explore each attack.
Passive SSL Stripping
In a passive SSL stripping attack, the attacker intercepts the communication between the user and the website without modifying any data. Here’s a breakdown of the process:
- The user initiates a connection to the website using HTTPS, but the attacker intercepts this connection.
- The hacker then performs an SSL downgrade attack by manipulating the response headers sent back to the user’s browser.
- Once the connection is downgraded, the attacker can intercept and view the entire communication between the user and the website.
- The attacker silently collects the intercepted data for malicious purposes, such as identity theft, account compromise, or unauthorized access to sensitive resources.
Active SSL Stripping
Active SSL stripping attacks go a step further by not only downgrading the connection to HTTP but also modifying the content of the web pages exchanged between the user and the website. Here’s a more detailed explanation:
- The attacker intercepts the user’s HTTPS connection and downgrades it to HTTP, similar to passive SSL stripping.
- In active SSL stripping, the hacker actively alters the content of the web pages exchanged between the user and the website. They can use various techniques, such as:
- Changing links: The attacker modifies links within the web page to point to insecure HTTP URLs instead of secure HTTPS URLs.
- Redirecting the user: The attacker may redirect the user to a fake website that mimics the legitimate one – a classic phishing attack with potentially dire consequences.
Active SSL stripping attacks are more dangerous than passive attacks because they involve content manipulation and can lead to additional exploitation and compromise of the user’s information.
Why SSL Strip Is So Dangerous?
SSL Strip reroutes all the traffic coming from a victim’s machine towards a proxy created by the attacker. Now, let’s put ourselves in the shoes of the attacker. We’ve created a connection between the victim and our proxy server. It can intercept all the traffic that flows to us. Without using the SSL Strip we would simply receive the encrypted data, which we won’t be able to decode.
But things change drastically once we add the SSL Strip into the mix. If someone connects to our proxy server, with the Strip running in the background, the victim won’t get any alert from the browser about the SSL Certificate error. They won’t have any suspicion that an actual attack is taking place. So how can the SSL Strip trick both the browser and the website’s server?
The Strip takes advantage of the way most users come to SSL websites. The majority of visitors connect to a website’s page that redirects (ex: the 302 redirects), or they arrive on an SSL page via a link from a non-SSL site. If the victim wants, for instance, to buy a digital product and types the following URL in the address bar www.somedigitalproduct.com, the browser connects to the attacker’s machine and waits for a response from the server. The attacker, in turn, forwards the victim’s request to the online shop’s server and receives the secure HTTPS payment page. For example https://www.somedigitalproduct.com.
At this point, the attacker has complete control over the secure payment page. He downgrades it from HTTPS to HTTP and sends it back to the victim’s browser. The browser is now redirected to http://www.somedigitalproduct.com. From now onward, all the victim’s data will be transferred in plain text format, and the attacker will be able to intercept it. Meanwhile, the website’s server will think that it has successfully established a secure connection. It did that indeed, but with the attacker’s machine, not the victim’s.
How to Detect SSL Stripping?
While spotting SSL stripping attacks can be challenging, there are several indicators that you can look out for. Here are five signs that can help detect SSL stripping.
- Missing padlock symbol: Usually, when you visit a secure website, your browser displays a padlock symbol in the address bar near the website’s URL. If the padlock symbol is missing or replaced with a warning icon, it could indicate that the connection is now over HTTP, and SSL stripping might occur.
- Inconsistent URL: Pay attention to the website’s URL. When you initially load a secure website over HTTPS, the URL starts with “https://”. If, at any point during your interaction with the website, the URL changes to “http://” instead of remaining as “https://”, it suggests that the connection has been downgraded and SSL stripping may be in progress.
- Browser warning messages: Modern browsers often display warning messages when there are security concerns. If your browser indicates that the website’s security certificate is invalid or the connection is not secure, you should leave the site.
- Mixed content warnings: Secure websites (HTTPS) should not load any content, such as images or scripts, from insecure sources (HTTP). If your browser displays warnings about “mixed content”, it suggests that the secure connection may have been tampered with, potentially indicating an SSL stripping attack.
- Unexpected behavior: If you notice unusual behavior on a website, such as missing functionality, broken images, or inconsistent page elements, it could also be a sign of an SSL stripping attack. Attackers may modify the content or inject malicious code, leading to unexpected website behavior.
It’s worth noting that these indicators are not foolproof and may not always indicate a MitM attack or an SSL strip. However, if you encounter any of these signs, it is advisable to exercise caution and consider the possibility of an ongoing attack.
How to Prevent SSL Stripping?
Preventing SSL stripping requires a multi-layered approach. First and foremost, website owners should enforce HTTPS connections by default by implementing HTTP Strict Transport Security (HSTS), which instructs the user’s browser to only communicate with the website via secure HTTPS connections. Additionally, website owners should renew the SSL certificate on time and employ the latest cryptographic protocols and encryption algorithms.
From the user’s perspective, it’s crucial to be vigilant and verify the security of websites before sharing sensitive information. Users should look for the padlock symbol, check for the “https” prefix in the URL, and be cautious when entering login credentials or making online transactions on unfamiliar or suspicious websites. Employing a reliable VPN (Virtual Private Network) can also help protect against SSL stripping attacks by encrypting all internet traffic and preventing interception by potential attackers.
Despite the advancements in SSL/TLS encryption, attackers continue to exploit vulnerabilities and loopholes to downgrade secure HTTPS to insecure HTTP connections. Detecting SSL stripping attacks is now easier because all modern browsers flag HTTP websites as unsafe and encourage users not to use them. By staying informed, implementing robust security measures, and being proactive in detecting and preventing such attacks, individuals and businesses can ensure safer online interactions.
Save 10% on SSL Certificates when ordering today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10
Frequently Asked Questions
What Kind of Attack Is SSL Stripping?
SSL stripping is a type of man-in-the-middle attack that targets the secure communication between a user and a website by downgrading the secure HTTPS connection to a non-secure HTTP connection.
What Is an Example of SSL Stripping?
In a café using public Wi-Fi, an attacker conducts an SSL stripping attack by intercepting and downgrading a user’s secure HTTPS connection to a non-secure HTTP connection, allowing them to capture sensitive data such as login credentials and potentially gain unauthorized access to online accounts.
Is SSL Stripping a Downgrade Attack?
Yes, SSL stripping can be considered a type of downgrade attack. It downgrades the HTTPS connection to the vulnerable HTTP protocol, where data is transmitted in plain text. As a result, attackers can intercept and decipher the information in transit.
Is SSL Stripping a MitM Attack?
Yes, SSL stripping is a form of MitM attack. The attacker positions themselves between the user and the website, intercepting the communication and manipulating the traffic that compromises the security and privacy of sensitive data.
Does SSL Stripping Work on TLS?
Yes, SSL stripping can work on TLS (Transport Layer Security), the successor to SSL (Secure Sockets Layer). Although the name refers to SSL, attackers can use the technique to strip the security from both SSL and TLS connections, as the underlying principle of downgrading the connection remains the same.