SSL (or Secure Sockets Layer) is a security protocol widely used to secure communications between a browser and a web server over the internet. It helps authenticate the web server and encrypt communications to prevent malicious actors from intercepting data or tampering with it.
Websites secured by SSL (or its successor TLS) display HTTPS in the address bar of web browsers, signaling their secure status. Every service in the world today mandates the use of SSL/TLS for security, and leading browsers even caution users against accessing websites that do not use SSL/TLS.
What Are SSL Stripping Attacks?
An SSL stripping attack is a type of cyberattack in which an attacker downgrades a website from secure HTTPS to an insecure HTTP connection. Downgrading the website’s security removes data encryption, allowing the attacker to eavesdrop on communications, read data, and manipulate information without getting noticed.
SSL stripping is also referred to as SSL interception, SSL redirection, or just plain old interception. This type of attack is often used to steal valuable user data such as credit card numbers, passwords, and personal information shared through websites.
SSL stripping was first brought to light by Moxie Marlinspike, a computer security researcher, who discussed its implications at an information security event in 2009. Marlinspike pointed out that this type of attack would pose a significant security threat as it would allow hackers to execute these attacks on any secure website in real-time without getting detected.
How Do SSL Stripping Attacks Occur?
When a user requests a website, typically, the web browser first takes the user to the plain HTTP version of the website before redirecting the user to the secure HTTPS version protected by SSL/TLS.
In an SSL stripping attack, the malicious hacker takes advantage of the small window where the request is being redirected to HTTPS to plant himself in between the browser and the web server. The attacker will then forward the user’s request to the web server to establish an HTTPS connection.
Once the connection is established, the server responds to the request with an HTTPS USRL. The attacker then uses his coding skills to downgrade the connection from HTTPS to HTTP and forwards it to the browser. Unaware that the website has been stripped of its security, the user believes that the website being served is indeed legitimate and secure—but it’s not.
When successfully executed, the attacker can read all the information provided by the user as it is transferred in plain text as well as alter the information shared to influence the user’s behavior.
It’s important to note that while communication between the attacker and the server is encrypted, communication between the attacker and the browser is not.
SSL stripping attacks are usually accomplished by setting up proxy servers, ARP spoofing, and creating fake WiFi hotspots.
Why Are SSL Stripping Attacks Dangerous?
All web communications today rely on SSL/TLS for security. Without these protocols, communications can be easily hacked and exploited. Given the critical role SSL plays in data security, SSL stripping attacks can have serious security implications for a business.
As a result of an SSL stripping attack, a user’s communications over a website may no longer be encrypted. This would allow the attacker to effortlessly read all sensitive information the user shares. Imagine if the personally identifiable information (PII) such as your customers’ login credentials, social security numbers, and account numbers became accessible on the internet!
SSL stripping attacks are particularly harmful in the context of online banking, where the attacker can steal the login credentials of a user’s online bank account and use them to carry out fraudulent transactions.
SSL stripping attacks also give attackers the power to meddle with the responses sent to the users. Attackers can modify responses to their advantage and compel users to take actions that threaten their financial security or personal well-being.
How to Protect Against SSL Stripping Attacks
Given the serious risk that SSL stripping attacks bring, there are a few measures that organizations can take to protect their web communications from these attacks.
- Enable SSL sitewide (Use HTTPS only)
Typically, organizations enable SSL only on those web pages that require users to provide sensitive information, such as the login or billing page. However, a good practice is to enable SSL across the entire website, on all pages, regardless of whether they use user information or not. This helps prevent malicious users from using the unprotected static web pages as launch pads for SSL stripping attacks. When SSL is enabled sitewide, modern web browsers will notify the users if they fail to authenticate a website through its SSL certificate. This serves as a warning to users about proceeding with an unsafe connection.
Enabling SSL sitewide also helps comply with data privacy regulations that recommend implementing robust protection mechanisms for better data privacy.
- Implement HSTS (HTTP Strict Transport Security) policy
HSTS is a strict security policy that allows the web server to instruct the web browser that whenever the browser attempts to connect to the website, it should always do so via HTTPS and not the insecure HTTP connection. The browser is made aware of the policy by including the ‘Strict Transport Security’ field in the response header sent by the server.
When HSTS is enabled, browsers will automatically redirect HTTP requests to HTTPS. So, even if an attacker tries to intercept the communication, HSTS displays a warning message for the user. It also prevents users from visiting unsecured websites as they won’t be able to access the page with an HTTP connection.
- Educate users about using VPN connections
SSL stripping attacks require both the user and the victim to be connected to the same network. This is why public WiFi hotspots are most commonly used to execute SSL stripping attacks. To prevent becoming the target, users must be encouraged to avoid connecting to public WiFi hotspots and always use a VPN connection when connecting remotely. A VPN connection ensures that no external party is aware of the user’s connection, and all data sent by the user is encrypted.
Users must also be educated about verifying the authenticity of the website they visit by checking the security padlock sign in the URL of the website.
- Use the latest SSL/TLS protocols
Weak or outdated SSL/TLS protocols have several known vulnerabilities that make it easy for attackers to execute SSL stripping attacks. So, organizations must ensure to update all certificates that use weak or outdated protocols to the latest standards. In the case of SSL/TLS, the recommended standard is TLS 1.3. An automated certificate lifecycle management system makes it easy for organizations to identify weak certificates and upgrade them in bulk with minimal service disruption.
The SSL/TLS protocol is a de facto standard for securing web communications today. With most communications happening on the internet, SSL/TLS-based authentication and encryption have become pivotal to data security. At the same time, the increase in internet-based communications has also amplified the risk of SSL-based attacks, which is a serious security concern. So, organizations must be extra cautious about where SSL/TLS protocols are implemented, how they are enabled, and how well their certificates are managed.