SSL Stripping Attack
SSL stripping is a process that involves the attacker cutting off the connection between a user and a website. This is done by downgrading a user’s secure HTTPS connection to an insecure HTTP version of the website. This connects the user to the unsecured site while the attacker maintains a connection to the secure site, making the user’s activity visible to the attacker in an unencrypted form.
When you visit a website, before connecting to the secure HTTPS version of it you have to first establish a connection with the less secure HTTP version first. That is the moment when the attackers can perform an SSL stripping attack. Because every internet connection starts as unsecured, hackers can strip the SSL connection and perform a man-in-the-middle attack preventing the user from connecting in a secure way with the website.
A SSL stripping attack can be potentially very dangerous because it not only allows the attacker to see all of the traffic that is being sent to the website in plain text (e.g. credit card numbers and social security), but it also allows the hacker to send data back pretending to be a legitimate counterparty.
The main ways an attacker can perform an SSL stripping attack are the following:
- The browser proxy of the user is configured to forward all traffic to an external server. If this happens, all of the data the user sends to the browser ends up going to the hacker, who can exploit the acquired control in a number of ways.
- If the hacker directly connects to the IP address by using a spoofed address resolution protocol (ARP), they will be able to receive all of the data that is being sent by that specific IP address.
- Hackers also often create fake public WiFi networks for SSL stripping purposes. As soon as the user connects to that fake WiFi, the attacker is able to control all communications that take place.