WHAT IS SSL STRIPPING & HOW TO PREVENT IT?
SSL stripping is the process of converting a website from HTTP to HTTP.
In other words, the exploit is used to get around the protection that SSL certificates provide on HTTPS sites. SSL downgrade is another term for this.
By forcing the website to use insecure HTTP rather than secure HTTPS, the assaults expose it to eavesdropping and data manipulation.
When you type the URL into your browser, the first connection will be ordinary HTTP, which will be followed by a secure HTTPS redirect. Using the SSL strip attack, the attacker takes advantage of this tiny window.
Moxie Marlinspike, a renowned computer security expert, was the first to demonstrate the attack and how HTTPS security may be compromised. He was the Chief Technical Officer of Whisper Technologies, a company that was acquired by Twitter in 2011.
HTTP and HTTPS are HTTP and HTTPS, respectively. HTTP sends data in plaintext, whereas HTTPS uses a secure tunnel to transport data.
Now that you have a good understanding of SSL stripping, let’s look at how it truly works.
WHAT IS SSL STRIPPING AND HOW DOES IT WORK?
There are three prerequisites for SSL stripping to take place.
Assailant A Victim V Server S
Before I go into detail, here’s a graphic illustration of what I’m talking about:
SSL decryption
Victim V is led to believe that the information he is exchanging with the server is secure and encrypted as it is sent over the network. However, the data that is moving has no validity because the encryption has been removed and the data is in plaintext, making it vulnerable to MITM.
(Let’s use an example to illustrate this)
- Victim V wants to get into his social media account using a safe HTTPS connection, but attacker A wants to steal his credentials.
- To do so, attacker A must establish a connection with victim V, breaking the victim’s secure connection to the server.
- Now, victim V will attempt to access the website, using attacker A as the recipient of the request. The attacker will intervene and act as the victim’s default gateway, sharing the packet with the server.
- The important thing to remember is that the attacker’s machine and the server will be connected via an SSL secured connection.
- The webserver now sends an HTTPS URL to Attacker A in response to the request (which should have gone to Victim V originally).
- The attacker A will now utilize its nefarious abilities to convert the HTTPS to HTTP and send it to victim V. The beauty (or tragedy!) is that victim V has no idea what’s going on in
- the background and has no way of verifying the accuracy of the information he’s received.
- Because the SSL encryption has been removed, anything victim V types, such as user information, passwords, credit card numbers, and so on, will be sniffed by Attacker A.
- (Now that you know how SSL stripping works, I’ll show you how to avoid it.)
HOW CAN YOU AVOID SSL STRIPPING?
Also check out: Avast, the world’s leading IT security company, recently disclosed that over 700,000 routers throughout the world have been identified as vulnerable.
SSL certificates are a very secure method of delivering data, but as technology advances, so do the flaws. These flaws can be closed. A handful of the options are listed below.
- Enable SSL on a per-site basis (use HTTPS only)
- HSTS should be enabled (HTTP Strict Transport Security)
- To ensure that all cookies are served with secure attributes, enable secure cookies.
- Read about the dangers of not using SSL certificates for your webservers or other internet-based applications.
HOW CAN USERS BE INFORMED ABOUT THIS ATTACK?
HTTPS is a protocol that should be installed everywhere. This tells the browser that SSL versions of the website should be used whenever possible.
SSL Strips generates no SSL errors. However, if it throws an error, do not ignore it and continue. Exit the page as soon as possible.
Because MITM is only possible when the attacker and victim are on the same network, use a VPN network. The attacker will not be able to tell that you are on the same network if you use VPN tunneling.