A Secure Sockets Layer (SSL) stripping attack allows threat actors to downgrade a web connection from HyperText Transfer Protocol Secure (HTTPS) to the less secure HTTP. It is also known as an “SSL or HTTP downgrade attack.”
An SSL stripping attack decrypts all communications, allowing hackers to perform a man-in-the-middle (MitM) attack where they sit in the middle of a conversation to listen to or intercept confidential information.
Read More about an “SSL Stripping Attack”
SSL stripping attacks got their name from the act of “stripping off” security from network communications.
How Does an SSL Stripping Attack Work?
You should know that every Web connection we make via HTTP is inherently unsecured. All connections are routed through HTTP first before they get rerouted through HTTPS. In an SSL stripping attack, attackers step in to interrupt the rerouting process, effectively thwarting users from reaching a site’s HTTPS version. In effect, their privacy is compromised, and verifying the legitimacy of those involved in the connection becomes impossible.
A successful SSL stripping attack lets threat actors sit in the middle of a conversation and get every piece of information a user submits on the website in plaintext. Users can also receive altered responses since the hackers can take the legitimate website’s place.
Let’s take a look at an example. Chase often works from his favorite coffee shop in the morning. He connects to the shop’s public Wi-Fi to do so. Chase gets a sale notification and notices a pair of jeans he has been eyeing. He clicks the link to the product page and adds the jeans to his cart, not even bothering to check if he’s on an HTTPS site. He pays with his credit card, not knowing that attackers have been listening to the communication all the while.
At the end of the month, Chase noticed a US$5,000 charge on his credit card for a product he never bought. The threat actors managed to steal his credit card details while he was purchasing the much-sought-after pair of jeans.
How Can Attackers Instigate an SSL Stripping Attack?
Hackers typically use three ways to execute an SSL stripping attack.
- Using proxy servers: Attackers manually set a target user’s browser proxy server to route all traffic to an external server they control. As such, all the web requests the user makes go to them. They can then take over and establish malicious connections for each request.
- Via Address Resolution Protocol (ARP) spoofing: Threat actors connect to a target user’s IP address using a spoofed ARP message. Once the connection is made, they can receive any data intended for the legitimate user.
- Through network access: Hackers create a fake public Wi-Fi network to control all the communications of anyone who connects to it. If they can gain access even to a secure network, they can also execute an SSL stripping attack.
What Risks Does an SSL Stripping Attack Pose?
An SSL stripping attack can result in:
- Information theft: Any information an SSL stripping attack user sends over an affected connection lands in the attackers’ hands because it is unencrypted and sent in plaintext. Intellectual property and personally identifiable information (PII) can thus be stolen this way.
- Fraud: An SSL stripping attack doesn’t just let threat actors intercept confidential information. It also allows them to do the reverse—alter the website’s communications with the affected user. That enables them to make users think, for instance, that they never bought items with their credit cards when the attackers did so while pretending to be them. Remember Chase in our example? That’s what happened to him.
- Communication inaccuracy: A successful SSL stripping attack can also let hackers steal affected users’ login credentials, giving them access to the victims’ other systems. If the attackers manage to infiltrate the affected users’ email accounts, they can send and receive messages on their behalf, creating havoc at work.
How Can Organizations Thwart an SSL Stripping Attack?
Given the risks that an SSL stripping attack poses, organizations are advised to:
- Enable SSL throughout all sites. That means securing e-commerce pages and all the pages on your website.
- Implement an HTTP Strict Transport Security (HSTS) policy on all company-owned computers. That disallows all browsers from opening non-HTTPS pages.
- Enable secure cookies on all organization-owned computers. That ensures that all browser cookies can only be sent over HTTPS connections.
- Educate users about vulnerabilities. Advise them never to connect to public Wi-Fi networks or use a virtual private network (VPN) connection if that can’t be avoided.
SSL stripping attacks can have detrimental effects on the affected user and his or her organization