SSL Stripping, also known as SSL Downgrade attacks, is in simple terms, high-tech , undetected eavesdropping.
The aim of an SSL Stripping attack is always to kill secure communication without the victim realizing. It’s all about data collection and manipulation.
SSL Stripping allows attackers to downgrade your connection from a secure HTTPS to an insecure HTTP. This in turn, leaves you vulnerable to spying and data manipulation.
It is somewhat similar to wiretapping, just a little more technical.
However, both wiretapping and SSL Stripping have a ‘man-in-the-middle’ – the person who does the eavesdropping. In this case, it’s the hacker, who creates a proxy server that intercepts and reroutes the traffic from a victim’s computer to theirs. They can then use the intercepted information to do just about anything they want.
Users will often not realize their information is being or has been compromised, because they will end up on a page that looks practically the same as the one they were searching for.
That’s how SSL Stripping tricks users into believing their connection is secure and their data encrypted, but the connection is actually insecure and the data is sent in plain text, because the encryption would have been stripped from it. That’s why it is called SSL ‘strip’.
How does SSL stripping work?
SSL Stripping thrives in threes. An attack cannot happen without three required entities present.
There has to be:
- The victim’s system
- A secure web server
- The attackers system
With those three pieces in place, the wheel of deception starts spinning.
Here’s an example.
Jane is trying to buy a pair of shoes through a secure, HTTPS- enabled website. John - the hacker - realizes this and wants to capture the communication and see Jane’s confidential information. Think credit card number, passwords, etc. To do this, John puts himself in the middle of the transaction, by establishing a connection with the victim. This then cuts Jane’s communication with the secure server. Jane, unaware of what’s happening, continues her shopping; finds the shoes she likes and proceeds to pay by requesting a banking site on her browser. The request however goes to John, who forwards it to the server of the actual banking site. The web server sends the response to John, thinking it is Jane- in the form of an HTTPS URL. John then proceeds to use his coding skills to downgrade the secure HTTPS URL to an insecure HTTP URL and passes that on to Jane, who is clueless as to what transpired in the background. Because John’s attack was successful, whatever information Jane sends is no longer encrypted. This gives John full access to her passwords, credit card details, home address, etc.
Note carefully, that John’s information is never compromised during the attack, because his communication with the website is SSL protected.
The process may seem long and time consuming, but it only takes a few minutes to launch a successful SSL Stripping attack.
How to prevent your website from SSL Stripping
Detecting compromised pages is difficult. That’s one of the reasons SSL Stripping is so dangerous. But there are a number of steps that can be taken to protect your website against attacks.
Here are three ways to protect against SSL Stripping attacks.
- SSL Certificates
- HSTS preload list
Understanding what SSL Certificates are will provide a clearer picture of how they help protect against attacks.
SSL Certificates are small data files that check the identity of a website and encrypt information sent to a server. When you install an SSL certificate on a web server, it activates the secure padlock icon and the https protocol which allows secure connections from a web server to a browser.
HTTP Strict Transport Security or HSTS provides a higher level of security by instructing your computer browser to connect only through HTTPS. It also requires that your computer never connect, while unencrypted, using HTTP.
By doing these two things, the HTTS ensures that SSL Stripping attacks launched on your browser are not successful.
HTTS is however not a bullet proof method against SSL Stripping attacks. If you were already attacked when you first visited a site, using HTTS retroactively may not be useful.
For this reason, you are advised to kick things up a notch, which brings us to our third
Method – using a HSTS preload list.
HSTS Preload List
An HSTS preload list is a global inventory of websites that only use HTTPS connections.
It provides another level of security to your site and website owners are urged to educate themselves on the list and how to they can it to protect their websites against SSL Stripping attacks.
The HSTS Preload List must be set up to serve an HSTS header on the base domain for all HTTPS request.
It will then indicate to all browsers that the site should only be loaded under the HTTPS protocol. All other variations are rejected.
In other words, the HSTS Preload List works by refusing to connect to a website if the browser detects an HTTP.
The average user may not be able to tell if a website uses HSTS, the HSTS Preload List or has other weaknesses.
For these reasons, you are advised to consider further, more secure privacy protection options such as:
- Wildcard SSL Certificate
Wildcard SSL Certificate
There are different SSL Certificate types. Wildcard SSL is one type. They are able to secure unlimited sub domains on a single certificate. It provides an added layer of security and can be added to the SSL Certificate cost, by purchasing both at the same time. It’s a great solution for anyone who hosts or manages multiple sites or pages that exist on the same domain.
A Virtual Private Network or VPN can easily prevent an SSL Stripping attack, by cutting out the man in the middle.
An attack is mostly possible when a user is sharing a common network with the attacker. But because the VPN encrypts and protect all internet traffic within a secure VPN tunnel, the hacker will not know that you’re on the same network, thus preventing an attack.
VPN security lessens or completely removes the need to be constantly checking for HTTP, HTTPS, lock symbols or anything else. Usernames, passwords and other confidential information are protected from other users.
Education is crucial to understanding and avoiding SSL Stripping.
Here are a few, basic precautions users can take to avoid falling victim to SSL stripping.
- WiFi: There’s sometimes an urge to use public Wi-Fi to save on data or for other seemingly valid reasons. However, public Wi-Fi should be avoided, particularly when sending sensitive information.
- HTTPS Everywhere: This is a browser extension that forces browsers to only send information over HTTPS websites. Users should be encouraged to download it.
- HTTPS: Typing in https as part of a URL can seem like a waste of time, but it is a pretty big deal. Even if you don’t type it in, ensure those five letters are present before clicking on it.
- Links: Speaking of not clicking. If a link or an email looks suspicious, it probably is, so resist the urge to click on it.
- Website Monitoring tools: One of the best ways to recognize malicious activity is by using a premium website monitoring software. This can help to provide real-time alerts on unusual activity on your website.
SSL Stripping takes place in the background and most users are generally not aware, but armed with the basic, free SSL information users and website owners can protect themselves against attacks.