What is the SSL stripping attack?

An SSL stripping attack is a way to remove websites’ security implemented through HTTPS. It robs a site of encryption meant to protect data from traversing online in plaintext.

Modern website owners have dropped the HTTP connection, opting for SSL (Secure Sockets Layer) and, later, TLS (Transport Layer Security). The SSL stripping attack downgrades these protocols and places hackers in the middle of users’ connections.

Thus, if the perpetrator sits in the middle, they can see what data you submit, from login credentials to credit card information.

Definition of the SSL stripping attack

An SSL stripping attack takes away encryption protocols which normally encode data users submit to websites. If HTTPS functions correctly, perpetrators cannot read information exchanged between clients and servers.

For instance, if you provide your credentials to an HTTPS page, hackers cannot obtain them even if they intercept the interaction. SSL stripping finds a loophole by clearing all traces of HTTPS security.

Perpetrators can perform man-in-the-middle attacks, take away websites’ security, pose as legitimate web servers, and capture unencrypted information. The POODLE attack is a similar web threat, intercepting communications between browsers and servers.

The SSL stripping attack first appeared in the spotlight in 2009, demonstrated by Moxie Marlinspike.

How does the SSL stripping attack work?

An SSL stripping attack is a ruthless attempt to compromise websites’ security and steal their clients’ data. So, it transforms a secure HTTPS into a plaintext HTTP connection.

Users might not notice this downgrade, browsing unsecured as usual and unwittingly allowing hackers to capture all data. More vigilant web visitors could take notice of the flip to the HTTP protocol.

However, users could assume that a website does not use HTTPS voluntarily. For instance, webmasters might use TLS or SSL on login pages but regress to unsecured connections for others.

From a technical viewpoint, an SSL stripping attack works through these steps:

1. An attacker intercepts the connection between a server (website) and a client (website visitor).
2. The client wishes to access their account hosted on the server and sends an HTTPS request to it.
3. The attacker sits in the middle of this interaction and modifies the client’s request. More specifically, it swaps their security certificate with theirs.
4. The attacker alters the server’s response and strips it from HTTPS security, replacing it with HTTP.
5. The client provides credentials but does not know that this information does not get encrypted. The attacker reads the passwords and usernames in plaintext.

How do hackers get the chance to execute SSL stripping attacks?

SSL stripping attacks can capture users’ information by tricking them into revealing it without the protection of security protocols. However, insecure HTTP can also facilitate modified responses from the server. Thus, the reply could contain dangerous links, fake payment details, or other questionable content.

However, hackers must execute attacks against victims prior to SSL stripping. One attack venue was Tor; a browser focused on privacy and anonymity. Perpetrators added unsecured servers to the Tor network that facilitated SSL stripping attacks. Researchers also identified the targeted clients: people using Tor to access crypto-related websites.

Thus, the following tactics can precede SSL stripping:

• ARP spoofing. Attackers can connect to victims’ IP addresses via spoofed address resolution protocol (ARP) requests. Then, they can see all traffic arriving at the address.
• Proxy servers. A proxy server routes all traffic to external servers. Attackers can build unreliable servers with settings facilitating unauthorized access to exchanged data.
• Fake Wi-Fi hotspots. Perpetrators can use free Wi-Fi hotspots to get users to connect. In some cases, they can set evil twins imitating SSIDs of networks managed by restaurants or facilities. Hackers controlling the fake hotspot can see and control connected users’ traffic and execute SSL stripping attacks.

What risks do users face with SSL stripping attacks?

A successful SSL stripping attack can grant hackers access to formerly encrypted traffic. That data includes login details, bank details, physical addresses, email addresses, and corporate details.

So, consequences of SSL stripping can include the following user losses:

• Loss of login and personal data. SSL stripping attacks could compromise sign-in pages, allowing hackers to capture passwords and other account-related information. The unsecured connections could expose other types of data, from phone numbers to bank account details.
• Exploiting stolen information. Attackers can abuse stolen information to commit identity fraud, steal money, or gain access to other accounts.
• Sending modified server responses. SSL stripping could coerce users into performing unwanted actions. It is because they can present misleading information via altered server responses.

How to detect an SSL stripping attack?

SSL stripping attacks have one weak link: alert users might notice that the HTTPS connection has suddenly switched to HTTP. You might detect this through the change in the address bar. Instead of a locked padlock, you might notice a warning symbol.

Most web browsers can also present full-page error messages stating that your connection is not secure.

Furthermore, perpetrators could lead users into fake versions of legitimate websites. Poorly-designed copycats will have clear red flags, like inconsistent fonts or bizarre messages.

Preventing SSL stripping attacks

Luckily, web admins have the option to protect their servers and clients from SSL stripping. For instance, newer versions of TLS encrypt more of the client-server interactions. Thus, scrambling the redirection process blocks attempts to intercept and control it. Moreover, websites can benefit from HTTP Strict Transport Security (HSTS) preload list, enforcing secure connections.

However, it is possible that many websites still lack such defense mechanisms. Thus, you should know how to ward off SSL stripping attacks:

• Install HTTPS Everywhere extension to enforce a secure connection to all websites.
• Avoid unknown hotspots, as poor security settings or evil twins, could allow perpetrators to downgrade your connections to HTTP.
• Regard HTTP as dangerous and exit websites that do not have valid security certificates and protocols.
• Protect your local networks by changing your SSID and default password to prevent unknown entities from connecting.
• Install a Virtual Private Network which will continue encrypting your internet connection regardless of website protections.