MITM: SSL stripping

Description

SSL stripping is a type of cyberattack that exploits a weakness in the way that some websites and applications handle HTTPS traffic. SSL (Secure Sockets Layer) is the predecessor to the modern TLS (Transport Layer Security) encryption protocol, and is used to secure data transmitted between a user's browser and a website.

In an SSL stripping attack, the attacker intercepts the user's HTTPS traffic and converts it to unencrypted HTTP traffic. The attacker does this by setting up a proxy server that sits between the user's browser and the target website. When the user requests a secure connection to the website, the proxy server intercepts the request and returns an unencrypted HTTP response to the user instead of the HTTPS response from the website. This allows the attacker to view, modify, or inject malicious content into the communication between the user and the website.

One of the key factors that makes SSL stripping attacks successful is that the user's browser may not automatically connect to the website using HTTPS, even if the website supports it. Instead, the user's browser may be directed to an HTTP version of the website, which can then be intercepted by the attacker.

Diagram

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          ┌───────────────────────────────────────────────────────────┐
          │                                                        ┌──┤
          ▼                                                        │ 5│
┌──────────────────┐           ┌──────────────────┬──┐     ┌───────┴──┴───────┐
│                  ├──┬───────►│                  │ 4│     │                  │
│      VICtim      │ 1│   ┌─┬──┤      router      ├──┴────►│     WEB site     │
│                  ├──┘   │ │ 2│                  │◄───┐   │                  │
└──────────────────┘      │ └──┴──────────────────┘    │   └──────────────────┘
                          │    ┌──────────────────┐    │
                          │    │                  ├──┐ │
                          │    │      Hacker      │ 3│ │
                          └───►│                  ├──┴─┘
                               └──────────────────┘
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
( 1 ) the victim attempts to connect to a website via https
( 2 ) the router forwards the victim’s request to the hacker
( 3 ) the hacker converts the https request into an http request
( 4 ) the attacker sends the new request back to the router
( 5 ) the router sends the new request to the website
( 6 ) the victim is given and http connection to the website
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Prevention

To protect against SSL stripping attacks, it is important to use HTTPS whenever possible and to ensure that the website is using HTTPS by checking for the padlock icon in the browser address bar. Additionally, website owners can protect against SSL stripping by implementing HTTP Strict Transport Security (HSTS), which forces the user's browser to use HTTPS when connecting to the website, and by using certificate pinning, which ensures that the browser only accepts valid certificates for a given website.