Secure Sockets Layer (SSL) certificates are at the heart of ensuring safe web connections for modern browsers and servers.
An SSL strip essentially entails that a secure HTTPS connection is downgraded. This malicious action is turned into an unsecured HTTP connection, which is not encrypted and thus can give way to different vulnerabilities.
SSL stripping attacks are known to enable the widespread Man-in-the-Middle attacks. They entail that a cybercriminal intercepts secure conversations to access private data. In particular, threat actors can steal information, execute fraudulent transactions, and meddle with personal communications through MITM attacks.
Let’s look at what an SSL strip is, how it works, what types of SSL stripping attacks there are, and how to prevent them.
SSL Stripping Explained
What is SSL stripping? In a nutshell, it is an action performed by a malicious user that leads to a downgrade from an HTTPS secure connection to a less secure encrypted HTTP connection. As a result, the whole web connection is not encrypted anymore. This risks individuals and businesses, including loss of private data, fraud, and attacks on larger systems.
Let’s first look at the basic terms to understand the gravity of the SSL stripping downgrade attack.
What’s SSL?
SSL (Secure Sockets Layer) is also known as Transport Layer Security (TLS) or SSL/TLS. This is how data traffic can be encrypted, and servers can be authenticated to provide a high level of security for web connections.
The SSL encryption is executed through a TLS Handshake which ‘starts the conversation’ between a browser and a server. A user’s browser initiates a TLS Handshake to establish the connection between the web client and the server. However, the TLS Handshake is unencrypted and can thus be abused by malevolent actors.
HTTP vs HTTPS
HTTP stands for Hypertext Transfer Protocol. It represents a connection between a website and a browser that is not encrypted and is thus not considered secure enough for today’s digital environment. HTTPS, on the other hand, stands for Hypertext Transfer Protocol Secure. It uses data encryption to protect against unauthorized access to the transferred information — that’s what it’s considered a secure protocol.
SSL stripping aims to allow for other types of interception attacks. In particular, it may enable an attacker to perform a Man-in-the-Middle attack. This entails that the cybercriminal can intercept private communication and data transfer to gain illegitimate access to sensitive data such as usernames, passwords, email correspondence, and banking details — without getting caught.
The SSL striping can be done by abusing the TCP Handshake, which is not encrypted. When a user browser requests access to a server, the Man-in-the-Middle attacker interferes and sends the handshake instead. Then they forward back to the user a malicious website connection.
When HTTPS is being employed, however, even if a malicious user can execute a Man-in-the-Middle attack attempt, they wouldn’t be able to read the data transferred from a web client to a server because it is encrypted.
The History of SSL Stripping
The SSL stripping vulnerability was discovered in 2009 by Moxie Marlinspike, a prominent American computer security researcher. He brought out details of how SSL stripping attacks can be executed without anyone ever noticing them — making them a serious threat to the digital security of both regular users and businesses.
Types of SSL Stripping Attacks
The three common SSL stripping attacks include ARP spoofing, using a proxy server, and using public Wi-Fi hotspots.
ARP Spoofing
To conduct an SSL stripping, a malicious user connects to a user’s IP address via a spoofed ARP (Address Resolution Protocol) message. Then the attacker can obtain the data sent to that IP address.
Using a proxy server
An attacker can manipulate a browser proxy to route the traffic to their external server. As a result, the attacker will receive every request made from the user’s side. This allows them to set up malicious connections based on unencrypted requests.
Using a fake public Wi-Fi network
Cybercriminals can set up public wireless networks to lure users into connecting to them. Threat actors often use network names that resemble popular open Wi-Fi networks and legitimate hotspot names, such as the names of cafes and public institutions. Once the connections are established through the fake hotspots, the attackers can obtain all users’ communications that pass through it.
How to Detect SSL Stripping Attacks
Even though many SSL stripping attacks go unnoticed, they are not that difficult to detect. One has to be aware of the signs that indicate such a vulnerability.
In particular, the most common ways to spot an SSL stripping include:
- The web address in the web browser’s search bar is the most obvious way to detect an SSL stripping attack. Instead of HTTPS, it would say only HTTP. In addition, the padlock next to the web address bar would be open and colored in red.
- Another obvious way to spot an SSL stripping is by keeping an eye on the design and appearance of websites. Often, the fake websites offered to the users after an SSL strip attack are slightly different from the original websites they wanted to open. For example, there may be spelling mistakes in the text, and the design may look strange.
Identify SSL/TLS vulnerabilities with ease
How to Prevent SSL Stripping Attacks
Early detection is the best way to minimize the negative effect of SSL stripping. Users must stay on the lookout for the strange appearance of the websites they visit, the padlock color and shape in their browser’s search bar, and the indication of HTTP or HTTPS in the same place.
It’s often recommended to manually enter the addresses of websites instead of using redirections from other websites that allow for unauthorized interception. This is how you can prevent a Man-in-the-Middle attack.
Some additional methods to prevent SSL stripping attacks include:
- Using a browser extension(such as HTTPS Everywhere) that catches such attacks through employing domain and rule lists
- Enabling of SSL sitewide instead of only on one webpage
- Using HTTP Strict Transport Security (HSTS) which requires websites to allow only connections utilizing HTTPS
- Using of Virtual Private Networks (VPNs)
- Avoiding public Wi-Fi to avoid the interception of sensitive data over an insecure connection
- Bookmarking of secure websites for future use
- Avoiding insecure HTTP connections and suspicious links
In an ocean of different potential cyber threats, among which are SSL stripping attacks. Crashtest Security’s powerful Vulnerability Testing Software helps you stay on top of cyber threats and security gaps. With its help, you can check for a wide array of vulnerabilities and prevent risks to your cyber security.
