What Is an SSL Stripping Attack?

Secure Sockets Layer/Transport Layer Security (SSL/TLS) is a protocol designed to improve the security of network traffic. A protocol using SSL — such as HTTPS — will include data encryption and integrity protections and authenticate the identity of the server. By default, most modern web browsing is performed using SSL-protected HTTPS. An SSL stripping attack is designed to force a user’s browser to connect to an unprotected version of the site without SSL encryption.

Learn More Request the DDoS eBook

What Is an SSL Stripping Attack?

How Does It Work?

An SSL stripping attack is performed via a man-in-the-middle (MitM) attack. By inserting themself into the middle of the connection between a client and a webserver, an attacker can control the data that reaches the user. Once there, the user can filter the packets sent between the client and the server.

An SSL/TLS connection is built on top of a standard, unencrypted TCP connection. After a TCP connection is established, the client can either initiate the SSL/TLS session or move directly to requesting web content via unencrypted HTTP.

In an SSL stripping attack, the attacker intercepts all traffic between the client and the server and “strips” any SSL content from the client’s requests before passing them on to the server. As a result, the server will provide the unencrypted HTTP version of the page, which the attacker sends on to the client.

In the event that the server only provides an HTTPS webpage, the attacker can create two separate connections. They would maintain an HTTP connection with the client, serving the content that they requested. They could access this content by creating their own HTTPS connection to the server and accessing the same pages that the user requests.

Types of SSL Stripping Attacks

In an SSL stripping attack, the main challenge for the attacker is to perform the man-in-the-middle attack needed for them to intercept traffic between the client and the server. There are a few ways that an attacker can accomplish this, including:

  • ARP Spoofing: If an attacker is on the same local area network (LAN) as the target, they can perform an ARP spoofing attack that maps the target’s IP address to the attacker’s MAC address. This causes all data intended for the target to be sent to the attacker’s computer instead.
  • Proxy Servers: A computer can be configured to use a proxy server, which will cause all traffic to be sent to a particular location en route to its destination. If an attacker can set a target’s computer to use the attacker’s server as a proxy, the attacker can intercept all of the user’s browsing traffic.
  • Malicious Public Wi-Fi: An attacker can set up a public Wi-Fi network that mimics a trusted network. If users connect to the network, the attacker has access to all wireless traffic flowing through their malicious router.

Business Risks of SSL Stripping Attacks

SSL stripping attacks eliminate the protection provided to web traffic by SSL/TLS. This can be used in various attacks that have negative impacts on the business, including:

  • Credential Theft: SSL stripping attacks can be used to trick users into entering their credentials into unencrypted websites, allowing an attacker to steal them.
  • Sensitive Data Exposure: SSL stripping allows an attacker to read all data flowing between the client and server, potentially exposing sensitive data.
  • Phishing Sites: An attacker may serve a malicious version of a website that contains malware or other phishing content.
  • Malicious Content: An attacker could inject malicious content into the web pages provided to the user, potentially delivering malware or performing other malicious actions.

How to Prevent SSL Stripping Attacks

SSL stripping attacks depend on the attacker’s ability to perform a MitM attack and move a user over to an unencrypted HTTP connection without them noticing. Some ways to protect against SSL stripping attacks include:

  • Require HSTS: HTTP Strict Transport Security (HSTS) mandates that a browser should only open webpages using HTTPS, preventing SSL stripping attacks.
  • Enable Secure Cookies: Cookies are used to identify users, and secure cookies can only be accessed by sites using HTTPS. Enabling secure cookies ensures that cookie data can only be sent over HTTPS connections.
  • User Education: Train employees to identify insecure sites that are not using an HTTPS connection.
  • Use a VPN: Use a VPN or similar solution to provide a secure, encrypted connection for remote users, preventing attackers from performing a MitM attack.

Protecting Against SSL Stripping Attacks

SSL stripping attacks provide a cybercriminal with the ability to perform a MitM attack, which can be used for eavesdropping or other malicious purposes. User education and the use of a VPN on untrusted networks can help to protect against these attacks.

SSL stripping attacks are not the only threat that a company and its users can face. To learn more about the current cyber threat landscape and the most significant threats to watch out for, check out Check Point’s 2023 Cyber Security Report.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK