SSL stripping attack (also known as SSL downgrade or HTTP downgrade attacks) is a type of cyber attack in which hackers downgrade a web connection from the more secure HTTPS to the less secure HTTP. This makes all communications unencrypted and sets the stage for a man-in-the-middle attack, in which the hacker sits in the middle of a conversation listening or intercepting information. SSL stripping can lead to security risks like hackers eavesdropping on private information or even altering data or communications without any knowledge from legitimate users.
What is SSL Stripping Attack?
SSL Stripping, also known as SSL Downgrade attacks, is in simple terms, high-tech, undetected eavesdropping. The aim of an SSL Stripping attack is always to kill secure communication without the victim realizing it. It’s all about data collection and manipulation.
SSL Stripping allows attackers to downgrade your connection from a secure HTTPS to an insecure HTTP. This, in turn, leaves you vulnerable to spying and data manipulation. It is somewhat similar to wiretapping, just a little more technical.
However, both wiretapping and SSL Stripping has a ‘man-in-the-middle’ – the person who does the eavesdropping. In this case, it’s the hacker, who creates a proxy server that intercepts and reroutes the traffic from a victim’s computer to theirs. They can then use the intercepted information to do just about anything they want.
Users will often not realize their information is being or has been compromised because they will end up on a page that looks practically the same as the one they were searching for.
That’s how SSL Stripping tricks users into believing their connection is secure and their data encrypted, but the connection is insecure and the data is sent in plain text because the encryption would have been stripped from it. That’s why it is called SSL ‘strip’.
How does SSL Stripping Attack work?
When users visit a website, they first connect with the HTTP version before getting rerouted to the HTTPS version. In SSL stripping attacks, hackers jump in this window to act as a man in the middle and prevent users from ever connecting with the HTTPS version of the site.
Breaking this down further, every internet connection starts as insecure. Users need to visit a website with the HTTP version before they can establish authentication to move over to the secure HTTPS version. These steps are intended to ensure privacy and verify the legitimacy of those involved in the connection.
Hackers can “strip” the SSL connection by inserting themselves in this process. When they do so, they act as a man in the middle by establishing their HTTPS connection with the website (posing as the user) and maintaining the HTTP connection with the user (posing as the website). Once they make those connections, they can sit in the middle of the conversation and obtain everything the user submits on the website in plaintext form. When this happens, users are not only sharing information with an illegitimate source in plaintext, but they also may receive altered responses in return (since the hacker can alter the communication back from the legitimate website).
There are generally three ways hackers can gain the necessary access to execute SSL stripping attacks:
- Proxy servers: Hackers can manually set a user’s browser proxy to route all traffic to their external server. This means every web request users make will go to the hacker, who can then take over and establish manipulative connections based on each request.
- ARP spoofing: Hackers connect to a user’s IP address through a spoofed address resolution protocol (ARP) message. Once they connect in this way, they can receive any data intended for the legitimate user’s IP address.
- Network access: Hackers can create a fake public wifi network and once users connect to that network, they can control all communications that occur on it. If hackers can gain access to any secure network, they can also execute the attack similarly.
What is the threat of SSL stripping attacks?
After the successful implementation of an SSL stripping attack, the victim’s information is transferred in plain text format and can be easily intercepted by anyone, including the attacker. This results in a breach in the integrity and confidentiality of personally identifiable information (PII) such as login credentials, bank accounts, sensitive business data, etc. Hence the threat of this vulnerability is easily understood and may have varying implications for your digital presence. Your business relies on encrypted communications to transact securely across the edge to the endpoint. But what if you can’t trust the identifying certificates on each end of the channel? Without this trust, you can’t engage in e-commerce web transactions and online banking that your consumers now rely on upon without having a second thought about security.
SSL stripping attacks can work only on websites that encrypt only their login page. Hence, websites that use both HTTP and HTTPS in their setup are vulnerable to SSL stripping attacks. The question to be answered now is this: what can we do to secure ourselves against this threat? Is the adoption of HTTPS and Chrome updates a panacea?
How can you prevent this form of attack?
An SSL certificate alone won’t protect you but you need to encrypt all of your connections with an HTTPS-configured SSL certificate. And you need to encrypt all elements of your site, not just the login page. Pictures, links – everything.
When you purchase an SSL certificate, you can (for an additional fee) add a Wildcard option which allows you to use your SSL on an unlimited number of subdomains and servers for greater security.
An Organisation Validation (OV) or Extended Validation (EV) SSL certificate will further improve your site’s level of security and confirm its authenticity. An EV SSL certificate shows your company’s name in a green URL bar as proof that your site is legitimate. Compare SSL certificates to find the one that best suits your needs.
HSTS Preload List
An HSTS preload list is a global inventory of websites that only use HTTPS connections. It provides another level of security to your site and website owners are urged to educate themselves on the list and how they can protect their websites against SSL Stripping attacks.
The HSTS Preload List must be set up to serve an HSTS header on the base domain for all HTTPS requests. It will then indicate to all browsers that the site should only be loaded under the HTTPS protocol. All other variations are rejected.
In other words, the HSTS Preload List works by refusing to connect to a website if the browser detects an HTTP. The average user may not be able to tell if a website uses HSTS, the HSTS Preload List, or has other weaknesses.
Educate your users
Last, but not least, keep your users informed about a few basic precautions they can take to avoid falling victim to SSL stripping.
- HTTPS Everywhere: Encourage users to download the HTTPS Everywhere browser extension which will force their browsers to only send information over HTTPS websites.
- Virtual Private Networks (VPN): A VPN provides users with a layer of secure encryption no matter what site they are on. Even if a site is downgraded to HTTP, data will remain encrypted.
- Wi-Fi: Avoid using public Wi-Fi networks, especially when sending sensitive data (like credit card information when making a purchase)
- HTTPS: If those FIVE letters – HTTPS – aren’t in front of the URL, don’t click on it.
- Links: Don’t click on malicious-looking links or emails.
In this blog post, we have discussed the simple yet dangerous mechanism of the SSL stripping attacks and provided an overview of the proposed solutions to thwart these attacks. Hackers take advantage of a single attack window that is caused by users making the initial request in HTTP instead of the secure HTTPS protocol.
As mitigation, HTTP Strict Transport Security (HSTS) could be implemented on the server side, as well as the HSTS Preload Lists that could be hardcoded at the browsers. Browser extensions such as HTTPS Everywhere can be installed on the browsers to prevent users from making HTTP connections in the first place. Lastly, efforts on improving the noticeability of the browser warnings on insecure HTTP connections could help users to avoid falling victims to SSL stripping attacks.