What are SSL Stripping Attacks?

SSL stripping attacks (also known as SSL downgrade or HTTP downgrade attacks) are a type of cyber attack in which hackers downgrade a web connection from the more secure HTTPS to the less secure HTTP. This makes all communications unencrypted and sets the stage for a man-in-the-middle attack, in which the hacker sits in the middle of a conversation listening or intercepting information. SSL stripping can lead to security risks like hackers eavesdropping on private information or even altering data or communications without any knowledge from legitimate users.

This article will cover everything you need to know about SSL stripping attacks, including:

• What are SSL stripping attacks?
• How do SSL stripping attacks work?
• What are examples of how SSL stripping attacks work?
• What are the potential risks of SSL stripping attacks?
• How can you protect against SSL stripping attacks?

Every connection to a website requires an application protocol, which is either HTTP or HTTPS. HTTP is less secure because it transmits information in plaintext, whereas HTTPS is more secure because it encrypts all information. HTTPS encrypts information through the use of SSL/TLS, which acts as a digital certificate that can authenticate identities and encrypt data.

SSL stripping attacks occur when a hacker intervenes in the connection between a user and a website. The hacker sits in the middle of the connection, connecting themselves to the HTTPS version of the site and connecting the user to the HTTP version of the site. This allows them to see everything the user says in an unencrypted form.

Moxie Marlinsplike, a computer security researcher, first warned about the opportunities for hackers to conduct SSL stripping at an information security event in 2009. He noted that this type of attack would significantly threaten security since hackers can execute it undetected, in real-time, on any website — regardless of the security protocols that website has in place.

When users visit a website, they first connect with the HTTP version before getting rerouted to the HTTPS version. In SSL stripping attacks, hackers jump in this window to act as a man in the middle and prevent users from ever connecting with the HTTPS version of the site.

Breaking this down further, every internet connection starts out as insecure. Users need to visit a website with the HTTP version before they can establish authentication to move over to the secure HTTPS version. These steps are intended to ensure privacy and verify the legitimacy of those involved in the connection.

Hackers can “strip” the SSL connection by inserting themselves in this process. When they do so, they act as a man in the middle by establishing their own HTTPS connection with the website (posing as the user) and maintaining the HTTP connection with the user (posing as the website). Once they make those connections, they can sit in the middle of the conversation and obtain everything the user submits on the website in plaintext form. When this happens, users are not only sharing information with an illegitimate source in plaintext, but they also may receive altered responses in return (since the hacker can alter the communication back from the legitimate website).

There are generally three ways hackers can gain the necessary access to execute SSL stripping attacks:

• Proxy servers: Hackers can manually set a user’s browser proxy to route all traffic to their own external server. This means every web request users make will go to the hacker, who can then take over and establish manipulative connections based on each request.
• ARP spoofing: Hackers connect to a user’s IP address through a spoofed address resolution protocol (ARP) message. Once they connect in this way, they can receive any data intended for the legitimate user’s IP address.
• Network access: Hackers can create a fake public wifi network and once users connect to that network, they can control all communications that occur on it. If hackers can gain access to any secure network, they can also execute the attack in a similar way.

SSL stripping attacks can take numerous forms, but here are three examples of how they can work in action.

Alice works in customer service at her company and needs to visit a site she uses often to put in some details about recent customer conversations she’s held. Unbeknownst to her, she stays on the HTTP version of the site rather than getting authenticated to the HTTPS version of the site because a hacker is sitting in the middle of that connection. Now, everything she inputs is shared without any encryption, exposing it directly to the hacker.

In the course of her work, Alice inputs information about her customers, including their full names, addresses and account numbers. The hacker sitting on the other side now has access to this information and can use it to pose as those customers.

Bob wants to do some shopping online while he sits in a coffee shop, so he connects to the shop’s public wifi network and visits his favorite eCommerce site. The pages of shirts he browses don’t have a padlock in the URL bar to indicate they’re secure, but he thinks that’s okay since he’s just looking at the shirts and not putting in any information. 

After spending some time on the site, he finds three shirts he likes and adds them to his cart. At this point, he’s forgotten about the missing padlock and adds in his credit card details and billing address to complete the transaction. After $50,000 in fraudulent charges later, Bob learns there was actually a hacker interrupting his connection with the secure version of the eCommerce site, which exposed Bob’s credit card details and billing address.

Mary works in her company’s finance department and is asked to issue a refund to a customer. She goes to the company’s customer community website to send a message to the customer about the refund timing and confirm she has the correct information about where to send the refund. The customer responds that they actually have a new account and asks if she can send the refund there instead. She sends a test to verify the account and then issues the refund accordingly.

What Mary didn’t realize in the course of this conversation is that she was on an insecure, HTTP version of the customer community rather than the secure, HTTPS version. It turns out a hacker had previously established a proxy server on her computer to route all traffic to his own server, thereby allowing him to strip the SSL on her connection to the customer community. Once the hacker established that connection, he intercepted Mary’s communications and sent his own bank account information to receive the refund, all while posing as Mary to the actual customer and telling them the company would not be able to honor the refund.

SSL stripping attacks are extremely dangerous, because they can often happen without any knowledge from the user. This means users won’t alter their behavior because they don’t realize that anything is actually wrong. Along the way, these attacks pose serious risks including:

With SSL stripping attacks, anything users send to a website is accessible to hackers and anyone else because it is sent in plaintext and not encrypted. This can easily lead to stolen information, including intellectual property and sensitive, personally identifiable information about the user or a company’s customers..

SSL stripping attacks don’t just allow hackers to intercept information users send to a website — it also allows them to do the reverse and alter communications back from the website to the user.

This means that users may receive inaccurate communications back from the website because they were altered in transit by the hacker. Receiving false information in this way can lead users to take an entirely different set of actions than they would have, leading to a number of threats for both individuals and companies.

Stealing users’ login credentials through a man in the middle attack can also give hackers access to any number of additional systems. This means that even if only one system is susceptible to attack, it might make other, more secure systems more vulnerable as a result. Overall, this situation requires organizations’ security teams to ensure there is no weak link, no matter how trivial any given connection point might seem.

Despite the serious risk of SSL stripping attacks, there are several steps organizations can take to protect against them. Some of the best ways to protect against SSL stripping attacks include:

It’s common to enable SSL on any web pages that require users to input information, which is a good start. But the best practice is to enable SSL across your entire website — even pages that don’t require users to input any information — to ensure more complete protection by avoiding any loopholes in going from HTTP to HTTPS.

When you enable SSL sitewide, modern browsers will even flag an issue for users if they can’t verify the site’s certificate to connect via HTTPS. This helps alert users that continuing with the connection may make them vulnerable to attack.

HSTS stands for HTTP Strict Transport Security and creates a policy that says the browser shouldn’t open a page that does not have a HTTPS connection and should redirect users from the HTTP version of the site to the HTTPS version of the site when possible. Implementing this type of policy on all company-owned devices prevents users from visiting unsecured websites since it means they won’t be able to open a page with a HTTP connection.

All websites use cookies to identify and remember users during the course of their session. Enabling secure cookies for all of your company’s users means that all of the cookies their browsers use will have secure attributes and can only be sent over secure HTTPS connections, not insecure HTTP connections.

Finally, educating users about potential vulnerabilities can also go a long way. One of the biggest points of education is instructing users not to connect on public wifi networks and to always use a VPN connection instead. Additionally, it’s helpful to share warning signs with users, such as encouraging them to check the URL of any website they visit to ensure it displays HTTPS instead of HTTP and to pay attention to the padlock in the URL bar, which will be unlocked or red if the connection is not secure.