What is SSL Stripping?
SSL stripping is a method of downgrading a website from https to http.
In other words, the attack is used to bypass the encryption that is imposed on https pages with SSL certificates. This is also called downgrading to SSL.
The attacks expose the website to data manipulation and eavesdropping by requiring it to use vulnerable HTTP instead of safe https.
Once you enter the browser’s URL the first link will be a basic http before it is redirected to secure https. The attacker uses the SSL stripe attack to take advantage of this small window.
The assault was first demonstrated by Moxie Marlinspike, an ace computer security researcher, and how the security of https can be fooled. He was Whisper Technologies’ Chief Technical Officer which Twitter later took over in 2011.
Htp and Htp are protocols for applications. Http transmits the data in plaintext whereas https sends data using a secure tunnel.
Now since you have got a fair idea about this SSL stripping, let ‘s understand how this actually works.
How does SSL stripping work?
There are three requisites for SSL stripping
- Attacker A
- Victim V
- Server S
The Victim V is made to believe that when transmitted to the server over the network, the data which he shares is secure and authenticated. But the fact is that there is no moving data validity because the encryption is taken off, and the data is vulnerable to MITM in plaintext.
- Victim V needs to use protected https to access his social network account, but an attacker A wants to get the passwords that victim V uses.
- To do this, attacker A must establish a link with victim V that cuts off the secure connection between victim and server.
- Now victim V may try to access the website and attacker A is the recipient of the message. Attacker will interfere and act as victim V’s default gateway, and share the packet with the server.
- The point to note here is the system attacker A, and the server will have an SSL encrypted connection
- The webserver now responds to Attacker A ‘s request with an HTTPS URL (which should originally go to Victim V).
- Attacker A will now use its dangerous skills to downgrade https to http and forward the same to victim V. The advantage (or casualty!) is not that victim V has no idea what’s going on in the background, nor does it have any way to confirm the authenticity of the data he ‘s got.
- Now that the SSL encryption is stripped anything that the Attacker A will find out of victim V forms including the user details, password, credit card number, etc.
How to Prevent SSL Stripping?
SSL certificates are a very safe way to transmit data, but the gaps come as the technology grows along with it. Indeed these gaps can be tackled. Below are just some of the options
- Enable SSL site-wise (use https only)
- Enable HSTS (HTTP Strict Transport Security)
- To ensure that all cookies are served with safe traits, allow secure cookies.
How Users can be aware of this attack
- Enable HTTPS Everywhere. This informs the browser to use SSL versions of the website wherever possible.
- SSL Strips does not throw any SSL bug. But if it throws kindly do not miss the mistake and proceed on. Delete the page immediately.
- Use a VPN network because the MITM is possible only when the attacker and victim are on the same network. For VPN tunneling the attacker will not be able to see that you are in the same network.