What are SSL stripping attacks and how can you prevent them?
Man in the Middle (MiTM) attacks intercept and decrypt confidential information sent over the Internet. A lesser known form of MiTM is called SSL stripping. SSL stripping attacks are relatively easy to launch and among the most dangerous. Here's how they work and what you can do to avoid falling victim.
What is SSL stripping?
In a nutshell, SSL stripping downgrades an HTTPS (Hyper Text Transfer Protocol Secure) connection to one that is HTTP (the now out-of-date, less secure protocol).
Via a proxy, a hacker - the “man-in-the-middle” of a connection - intercepts all user requests made to a website’s server. Rather than connecting to a secure site, users are rerouted to the unsecure proxy server. Most users won’t even know that the redirect has occurred because they will end up on a page that looks virtually the same as the one they were searching for.
In this way, SSL stripping is more sophisticated than phishing. Phishing requires a user to log in to a fake page which allows the attacker to collect data like user name and password.
SSL stripping directs a user to an HTTP proxy that is related to a legitimate HTTPS-encrypted site. The attacker can collect logins and passwords via the HTTP connection without the victim noticing anything. They won't see an error or warning message in their browser alerting them to the fact they have been rerouted.
Having removed the Secure Sockets Layer (SSL) that protects a user’s confidential information, a hacker can eavesdrop and manipulate data at will.
How does SSL stripping work?
Users don’t typically come to SSL-secured sites by typing in a full URL or using a bookmarked https://url. Many arrive via a redirect (like the 302 redirect) or an HTTP site which provides a link to the secured site. Users are redirected or click on that link and it takes them where they want to go.
For example, you type into your browser www .example.com. The browser connects you to the hacker’s machine using HTTP and forwards your request to the server over HTTPS.
The hacker downgrades the connection from HTTPS to HTTP and sends it back to your browser. You will see http://www .example.com. The SSL has been “stripped”, your data is compromised, and the site’s sever continues to think that a secure connection has been made.
How can you prevent this form of attack?
An SSL certificate alone won't protect you but you need to encrypt all of your connections with an HTTPS-configured SSL certificate. And you need to encrypt all elements of your site, not just the login page. Pictures, links - everything.
When you purchase an SSL certificate, you can (for an additional fee) add a Wildcard option which allows you to use your SSL on an unlimited number of subdomains and servers for greater security.
An Organisation Validation (OV) or Extended Validation (EV) SSL certificate will further improve your site’s level of security and confirm its authenticity. An EV SSL certificate shows your company’s name in a green URL bar as proof that your site is legitimate. Compare SSL certificates to find the one that best suits your needs.
HSTS Preload List
Once you have your SSL certificate, add your domain name to the HSTS preload list, a global list that is used by Chrome, Firefox, and other search engines.
In a previous post, we covered how to add your site to the HSTS preload list and why you should do it. But to recap:
- HSTS stands for HTTPS Strict Transport Security.
- The HSTS preload list contains a list of hostnames for which browsers automatically enforce HTTPS-connections
- Once a browser receives a site’s HSTS, it will be included on the preload list
- Inclusion on the list prevents future insecure HTTP connections from being made
The list includes domains, subdomains, and even entire TLDs. Some TLDs like .APP are already HSTS preloaded, meaning all websites under a .APP domain are HTTPS-encrypted by default. But as long as you are using an SSL certificate on your site, you can submit any domain to the list.
Educate your users
Last, not least, keep your users informed about a few basic precautions they can take to avoid falling victim to SSL stripping.
HTTPS Everywhere: Encourage users to download the HTTPS Everywhere browser extension which will force their browsers to only send information over HTTPS websites.
Virtual Private Networks (VPN): A VPN provides users with a layer of secure encryption no matter what site they are on. Even if a site is downgraded to HTTP, data will remain encrypted.
Wi-Fi: Avoid using public Wi-Fi networks, especially when sending sensitive data (like credit card information when making a purchase)
HTTPS: If those FIVE letters - HTTPS - aren't in front of the URL, don’t click on it.
Links: Don’t click on malicious-looking links or emails.
Protect against SSL stripping and other vulnerabilities
Data in transit is at significant risk of MiTM attack. And, as with all cybersecurity-related threats, taking proactive steps is key to avoiding a trap. For more information about how we can help you meet your cybersecurity needs, give us a call or email us at +352 263 725 250 or firstname.lastname@example.org. We would be glad to assist.