What are SSL Stripping Attacks and How to Prevent it?

There is a constant battle between businesses and hackers in securing confidential information. Data breaches and hacks are issues for businesses regardless of size, causing huge complications by exposing sensitive information. Whenever cyber security experts come up with a preventive solution, the attackers find another route. One such new, less-known technique is SSL Stripping. The problem is that SSL Stripping attacks are easy to launch and extremely dangerous.

What is SSL Stripping?

SSL Stripping is a form of MitM (Main-in-the-Middle) attack, which takes advantage of encryption protocol and the way it starts connections. This attack evades the security provided by secure HTTPS connections between the users and web browsers and exposes the traffic and sensitive information being exchanged in plain text to eavesdroppers.

While exposing sensitive information, this attack also allows attackers to manipulate the contents being transferred. As it downgrades SSL/TLS encryption connections, it is also known as SSL Downgrade Attack.

How Does SSL Stripping Attack Work?

When a secure connection is needed, users and browsers use an SSL encryption certificate, establishing an encrypted link between two parties.

The following actions take place when establishing a secure connection:

• The user requests the server with an unsecured HTTP request
• The server responds via HTTP & redirects the user to HTTPS (Secure Connection)
• The secure session begins with an HTTPS request

The SSL encryption process guarantees both integrity and privacy. Attackers cannot intrude into a secure HTTPS connection between the user and server.

Where attackers intercept the connection

Since the initial request and HTTP redirection response is in plain text, the attackers intercept the user requests. The attacker acts as a bridge between the two parties by establishing a legitimate connection to the server via HTTPS protocol and an HTTP connection with the user.

The attacker can be able to do a MitM attack. When the server sends a response, the attacker intercepts it and sends it to the user in an unencrypted format, pretending as the server.

Now it is not a 1:1 kind of communication. All the data transferred from the user will go via the attackers’ server rather than going directly to the legitimate server. Similarly, the server response will be sent via the attacker server in the middle. As there is no encrypted communication between the user and server, all the message transferred over this connection is exposed to everyone, including the attacker.

Most victims will not be aware that the URL received are insecure HTTP connection, and all the sensitive information passed will be transferred as plain text.

Reasons Behind Successful SSL Stripping Attack

• The easiest way to intercept the communication is using public hotspots. Attackers usually set up fake hotspots with names like legitimate ones and attack users who get into the malicious hotspot.
• Another way SSL stripping attacks can be done is users don’t usually enter the full URL in the address bar, including https://. Typing only the domain name paves the opportunity for attackers to present the victim with HTTP links.
• Many websites use HTTPS connection only for login and other important pages while leaving other landing pages in an insecure HTTP connection to improve performance.
• Users and servers have no way to detect an SSL strip. Both parties don’t doubt the integrity of the data assuming they’re communicating with an actual legitimate partner.
• SSL stripping can be recognized only in a few exceptional cases via design or technical details. There are only a few indications that a secure connection is missing.

How to Prevent SSL Stripping Attacks?

• SSL certificate is used to create secured sites but to maximize its security, you need to encrypt all pages of your websites, including all sub-domains.
• Another SSL Stripping prevention method is to secure the local network from unauthorized access. Implementing a robust Web Application Firewall (WAF) will prevent malicious actors from gaining access to the local network and extending laterally to set up MitM attacks.
• Malicious links listed in forums and sent via spam emails have been the default weapon for attackers for many years. Avoid clicking on emails from somebody you do not recognize.
• Public wi-fi hotspots are perfect for SSL Stripping attacks. Avoid insecure wi-fi points.
• Another effective way to protect from an SSL stripping attack is manually typing the complete URL in the address bar.
• An important line of defense is implementing HSTS (HTTP Strict Transport Security) – a strict policy restricting web browsers from interacting with an insecure HTTPS connection.
• In addition to enforcing HSTS and enabling SSL secure connection, businesses need to hire Certificate Management System like Entrust CMS offered by Indusface to monitor and manage certificate lifecycle, public key infrastructure, and certificate validity to prevent bad actors from misusing the certificate.

Conclusion

The SSL Stripping attack takes advantage of users not requesting secure pages explicitly and relying on the web servers to redirect them to the secure version of the requested website. Most users are unaware of this attack, but by arming with a robust SSL encryption connection, website owners can prevent themselves from being victims of this SSL Stripping and MiTM attacks.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.