SSL stripping attacks, also known as SSL strip, SSL downgrade, or HTTP downgrade attacks, compromise the security of HTTPS by downgrading the connection to the more vulnerable HTTP. These attacks pose a significant cyber threat to numerous businesses. The risk is particularly high for corporate employees who frequently use open, unsecured Wi-Fi hotspots for Internet access while traveling, making them susceptible to SSL stripping attacks. In such attacks, cybercriminals infiltrate a network and position themselves as a Man-in-the-Middle (MITM), enabling them to intercept network connections. This interception technique is not limited to wireless networks; it can also be executed in wired networks if the attacker manages to access an Ethernet port.
How does an SSL Stripping Attack work?
To execute an SSL stripping attack, an attacker intercepts the transition from HTTP to HTTPS. They do this by capturing a user’s request to the server during the protocol redirection. The attacker then sets up a secure HTTPS connection with the server on one end and an unsecured HTTP connection with the user on the other, effectively positioning themselves as a “bridge” between the two.
The SSL strip technique deceives both the browser and the server of a website by exploiting the common way users access SSL-secured sites. Typically, users either follow a 302 redirect from a non-SSL page or click a link on a non-SSL site to reach an SSL-secured page. For example, if a user intends to make a purchase and enters www.buyme.com in their browser, their request initially reaches the attacker’s system. The attacker then relays this request to the actual server of the online store, which responds with the secure HTTPS payment page, such as https://www.buyme.com. At this juncture, the attacker manipulates the secure page, converting it from HTTPS to HTTP, and sends this modified version back to the user’s browser. Consequently, the browser gets redirected to an unsecured version, http://www.buyme.com. From this point, all data entered by the user is transmitted in unencrypted, plain text, allowing the attacker to easily intercept it. Simultaneously, the website’s server remains under the impression that it has established a secure connection, but this connection is with the attacker’s system, not the user’s.
Why should you avoid Wi-Fi hotspots?
SSL strip attacks can be implemented in a number of ways. The most common method is by creating a hotspot and allowing the victims to connect to it. Attackers often create counterfeit Wi-Fi hotspots with names closely resembling those of legitimate ones, such as using “Starbucks Coffee” in place of “Starbucks”. Unsuspecting users may connect to these deceitful hotspots. When a user attempts to access a server, the attacker, leveraging their control over the hotspot, launches an attack on the user’s connection.nnect to the server, the attacker uses his control over the hotspot and attacks the user.
Why are SSL Stripping Attacks so dangerous?
After the successful implementation of an SSL strip attack, the victim’s information is transferred in plain text format and can be easily intercepted by anyone, including the attacker. This results in a breach in the integrity and confidentiality of personal identifiable information (PII) such as login credentials, bank accounts, sensitive business data, etc. Hence the threat of this vulnerability is easily understood and may have varying implications to your digital presence. Your business relies on encrypted communications to transact securely across the edge to the endpoint. But what if you can’t trust the identifying certificates on each end of the channel? Without this trust, you can’t engage in e-commerce web transactions and online banking that your consumers now rely on without having a second thought about security.
SSL stripping attacks can work only on websites that encrypt only their login page. Hence, websites that use both HTTP and HTTPS in their setup are vulnerable to SSL stripping attacks. The question to be answered now is this: what can we do to secure ourselves against this threat? Is the adoption of HTTPS and the Chrome updates a panacea?
Why should you enable SSL sitewide on all websites?
To mitigate this threat, financial institutions and technology firms have already enabled HTTPS on a site-wide basis. Enabling HTTPS encrypts the connection between a browser and the website, thereby securing sensitive data transmissions. Therefore it makes perfect sense for banks and high-profile technology firms to enable HTTPS on their dynamic websites because of the transaction of important and sensitive information.
We also have to realize that it is of equal importance to enable HTTPS across static websites, even if there aren’t any sensitive data transactions. A lot of corporations purchase an SSL certificate, and they only configure the pages to be served over HTTPS that require a user to transmit personal information, such as login screens and checkout pages. That’s not a good way to operate.
Because of the abstract nature of internet connections, people think that a connection to a static website is secure over HTTP. However, the traffic travels through many points to get from your browser to a website. HTTP is insecure and allows anyone to manipulate traffic at any point between a laptop and a website. Attackers can intercept a lot of information by manipulating traffic on a static website protected only by HTTP. Some of it can be relatively harmless but other abuses are much more serious. But none of these abuses are possible if a site is protected by HTTPS. If there is any problem, web browsers like Chrome and Firefox display a message that warns visitors that they cannot verify the site’s TLS certificate.
Learn more about machine identity security, and how it can benefit your organization!
