Since the Internet of Things becomes more and more secure, cybercriminals are forced to think of new methods of intercepting and stealing sensitive data. They usually take advantage of the existing cybersecurity tools and try to deceive users to trust them. Therefore, this article will help you find out what’s an SSL Sniffing attempt. It will also show you how to protect your SSL connection from it.

But first, let’s define what’s a TLS/SSL termination proxy.

A TLS/SSL termination proxy is a proxy server which is particularly used by an entity to intercept and handle incoming TLS/SSL connections, decrypt the TLS/SSL, and then pass on the unencrypted request to one of its highly secure servers, such as Apache HTTP Server, Nginx or HAProxy.

The purpose of having a TLS/SSL termination proxy is to reduce the load on the entity’s main servers. But before implementing this proxy, the entity should ensure that its network is so secure that it doesn’t have to encrypt the session data for its users.

Unfortunately, cybercriminals have learned how to use the capabilities of a TLS/SSL termination proxy to sniff secure SSL connections. They can now easily intercept the messages exchanged within it.

What is SSL Sniffing?

SSL Sniffing is a malicious cyber-attack when a TLS/SSL termination proxy acts as a MitM proxy which hijacks the secure SSL connection. Why MitM (man-in-the-middle)? Because a proxy is by definition a man-in-the-middle third party. The proxy connects to the server, and then the client connects to the proxy.

You may already know that SSL certificates prevent MitM attacks. How come that MitM can intervene and sniff an SSL connection?

To sniff the SSL connection, the MitM proxy acts as an untrusted Certificate Authority. The MitM proxy dynamically generates SSL Certificates to whatever hostname is needed for establishing the SSL connection. For example, if the browser wants to connect to https://www.mywebsite.com, the MitM proxy will generate an SSL Certificate for “www.mywebsite.com” and sign it as being an independent CA.

By deliberately acting as a separate CA, the malicious MitM proxy takes advantage of this possibility and attempts to hijack a trusted SSL connection. So, when the browser tries to connect to the web server, the MitM proxy intervenes by issuing and signing its own certificate. Therefore, while the MitM proxy receives the original SSL Certificate of the server, the browser receives the fake SSL certificate issued by the MitM proxy.

But, here comes the crucial part of an SSL Sniffing attempt:

How to avoid SSL Sniffing?

The browser thinks that it connects to the server, but it actually connects to the MitM proxy. Here comes the hiccup: for the sniffing to take place, the browser must accept this proxy as a genuine, trusted CA.

If the user ignores any security warnings and accepts the fake SSL Certificate and the MitM proxy CA as trusted, the user will successfully connect to the MitM proxy, initiate the SSL Sniffing and the SSL connection will become insecure.

Let’s suppose that the user didn’t install any malicious software. When its browser receives the fake SSL Certificate, the browser will display a security message warning users to not trust the issuer of the SSL Certificate. and will ask whether to include the fake MitM proxy certificate to its list of trusted certificates. By rejecting the above request, the user stops the SSL Sniffing attempt, successfully protecting its secure SSL connection.

Sadly, if attackers hacked the user’s computer and installed a virus, the browser may trust the MitM proxy as a valid CA. This entire process usually happens in the background and is invisible to the user. For this reason, it is crucial to secure your computer with reliable anti-virus software.

If you have anti-virus software protecting your computer, then your web browsers will alert you about the untrusted Certificate Authority and its certificate. Please be careful and don’t trust any malicious MitM proxies. Always check the SSL certificate and its Certificate Authority in case of doubt. An SSL Sniffing attack is only possible because of users’ gullibility. For example, “I’ll just click OK to finally visit that website”.

Final thoughts

Remember that the purpose of an SSL Certificate is to secure the connection between you and the web server. This is why you should not allow any third-party interventions. SSL Sniffing may only happen if you ignore the warnings or make your computer susceptible to viruses and malware. Make sure to avoid any of these occurrences.