What is SSL Stripping & How to Prevent it?

SSL_Stripping

What is SSL Stripping?

SSL stripping is a technique by which a website is downgraded from https to http.

In other words, the attack is used to circumvent the security which is enforced by SSL certificates on https sites. This is also known as SSL downgrading.

The attacks expose the website to eavesdropping and data manipulation by forcing it to use insecure HTTP rather than secured https.

When you enter the URL on the browser, the first connection will be a plain http before it gets redirected to secure https. The attacker takes advantage of this small window by using the SSL strip attack.

Moxie Marlinspike, an ace computer security researcher, first demonstrated the attack and how can the https security be fooled. He was the Chief technical officer of Whisper Technologies which was later taken over by Twitter in 2011.

Http and Https are application protocols. Http transmits the data in plaintext whereas https sends data using a secure tunnel.

Now since you have got a fair idea about this SSL stripping, let’s understand how this actually works.

How does SSL stripping work?

For SSL stripping to take place there are three requirements

Attacker A
Victim V
Server S

Before I explain to you in detail here is the visual representation of it:

ssl stripping

Victim V is made to believe that the data he is exchanging is secure and encrypted when transmitted over the network to the server. But the fact is there is no authenticity of data that is traveling because the encryption is stripped off and the data is in plaintext vulnerable to MITM.

(let’s example that with an example)

Victim V wants to access his social network account over secured https, but attacker A wants to get the credentials that victim V is using.
To attain this, attacker A must establish a connection with victim V which cuts the secure connection between the victim and the server.
Now, victim V will try to access the website and the recipient of the request is attacker A. Attacker will intervene and act as a default gateway for victim V and will share the packet with the server.
The point to be noted here is the attacker A machine and the server will have SSL encrypted connection
The webserver now responds to the request (which should originally go to Victim V) to Attacker A with an HTTPS URL.
The attacker A will now use its perilous skills to downgrade the https to http and forward the same to victim V. The beauty (or casualty!) is not that victim V has no idea what’s happening in the background nor has any way to confirm the authenticity of the data which he has received.
Now as the SSL encryption has been stripped anything which victim V types including the user details, password, credit card number, etc will be sniffed by Attacker A.

(Having understood how SSL stripping works I will guide you on the ways to prevent it.)

How to Prevent SSL Stripping?

Also read: Recently Avast, the leader of IT security, revealed that around 700,000 routers around the world were diagnosed as vulnerable.

SSL certificates are a very secure way of transmitting data but as the technology grows with it comes the loopholes. These loopholes can indeed be addressed. Below are a few of the solutions

Enable SSL site-wise (use https only)
Enable HSTS (HTTP Strict Transport Security)
Enable secure cookies, to ensure that all the cookies are served with secured traits.

Also, Read Risks of not using SSL certificates for your webservers or any other internet-based applications.

How Users can be aware of this attack

Install HTTPS Everywhere. This informs the browser to use SSL versions of the website wherever possible.
SSL Strips does not throw any SSL error. But if it throws kindly do not skip the error and proceed further. Exit the page immediately.
Use a VPN network because the MITM is possible only when the attacker and victim are on the same network. With VPN tunneling the attacker will not be able to see that you are in the same network.

(With this entire guide, we are trying to make this internet a safe place for you all)