SSL Stripping: What is it and how to avoid it

 

There is a constant battle between the hackers and legitimate businesses to secure and manage confidential information. It seems that every time cyber security companies come up with a solution the hackers take a step back and then find another route. However, the truth is that issues such as SSL stripping are avoidable. There are ways to detect these types of attacks . The problem is they are extremely easy to set up, launch, manage and they can assist in gathering highly confidential information in a non-encrypted format.

 

What is SSL stripping?

SSL stripping is fairly simple and can prove dangerous to website owners. It is a means by which a hacker intercepts data transfers between clients and web servers. Often referred to as man in the middle (MiTM) attacks, they do exactly what it says on the tin. The hackers will expertly place themselves in between the user’s browser and a website server. The key to a successful SSL stripping operation is to utilise that split second when the majority of URLs are redirected to the HTTPS version as opposed to the unencrypted HTTP version. Does this make sense so far?

Those who have active websites, or surf the Internet regularly, will be well aware that HTTPS. It is now standard across the vast majority of search engines. Indeed, websites which use the unsecure HTTP get flagged as potentially dangerous by search engines. So, this has in effect encouraged online businesses to encrypt all data from browsers to web servers. Thereby, rendering useless any encrypted information. This is a massive blow to hackers using simple man in the middle techniques. However, SSL stripping is a step up from this.

 

How does SSL stripping work?

There are four main stages to an SSL stripping operation which will effectively strip the encrypted element of any website and allow hackers to obtain decrypted information.

 

Stage one

The user requests a traditional website such as https://example.com but rather than going directly to the correct web server it will go via the hacker’s server.

 

Stage two

In the first instance the hacker will simply forward the correct information to the https://example.com web server still in its encrypted format.

 

Stage three

Rather than the response from the legitimate web server going directly to the user, it will be sent via the hacker’s server. In some ways this can be described as a form of domain squatting.

 

Stage four

This is the most dangerous element of the hack. Hackers remove the SSL security base of https://example.com. then return the site as a simple http://example.com URL. All information from here on in has no encryption applied. The door is now open!

The vast majority of surfers will have no idea that the web URL has been returned as an insecure http URL and all information passed from this point will not be encrypted. There are a number of factors to remember with this particular type of hack:-

  • As the hacker is communicating with the legitimate https://example.com website via an https link the web server will have no reason to raise any concerns.
  • As the surfer still receives the relevant response from the legitimate https://example.com, but via an unsecure http domain, they would not normally have any concerns.
  • The key is that information sent to and received from the legitimate web server (via the hacker’s server) will be encrypted. However, the information sent by the surfer is not encrypted before it is forwarded on.

If you think about the number of website we all use which require confidential information and banking data, the potential for theft, blackmail and other criminal activities is immense. Thankfully, there are ways and means of reducing the risk of SSL stripping attacks.

 

SSL certificates

SSL certificates are used in conjunction with https encryption to create SSL-secured sites but in order to make a site more secure you will need to encrypt all pages and files. Unencrypted pages may be susceptible to man in the middle hacking attacks. Leading to potentially disastrous consequences. One added layer of security comes in the form of what is known as a wildcard option that can be purchased at the same time as the original SSL certificate. This allows you to secure unlimited subdomains as well as website servers.

While some search engines have downgraded the use of Organisation Validation (OV) or Extended Validation (EV) SSL certificates, many believe they still have a role to play. These types of SSL certificates will visibly display the company’s name in the address URL bar. As a consequence, if your data was intercepted by a man in the middle hack via an SSL stripping operation then it would not show the company name associated with the legitimate website. When looking for SSL certificates you should ask your hosting company about the products they offer.

 

HSTS preload list

The HSTS (HTTPS Strict Transport Security) preload list is another level of security which has been introduced to combat SSL stripping attacks. In simple terms the HSTS preload list is a global list of websites that only use HTTPS connections. If a browser detects a HTTP then refuses the connection preventing the website from loading. This would indicate a potential problem with an SSL stripping attack or similar hack.

It is essential that website owners educate themselves with regards to the HSTS preload list. In addition it is worth knowing how they can add this additional level of security to their websites. In simple terms the site must be set up to serve an HSTS header on the base domain for all HTTPS request. This will indicate to all browsers that the site should only be loaded under the HTTPS protocol and any other variations rejected.

 

How surfers can avoid SSL stripping attacks

The problem with a professionally executed SSL stripping attack is that the surfer and the web server will have no idea that the information passing between them has been compromised. The only visible sign will be the HTTP URL having replaced the HTTPS variation. In the midst of surfing this can easily be missed. Indeed, if you have typed in the correct URL then it is fair to assume that you should be taken to the correct secure URL?

There are some simple ways in which you can reduce the chances of an SSL stripping attack which include:-

  • Using the HTTPS Everywhere browser extension which will only display sites under the HTTPS protocol. So, if someone tries to strip your website’s SSL from the URL, it would be rejected.
  • Consider Virtual Private Networks (VPNs). This is a great point for business users. Whether using an HTTPS or HTTP URL all of the information passed via the network will be encrypted.
  • Unfortunately, many people believe that public Wi-Fi networks are a godsend. Especially when they’re on the move. But be mindful that, they can be a man in the middle hacker’s dream. Many hackers will simply pray on the fact that public Wi-Fi networks are often unsecure and easy to intercept.
  • If you log onto a website which does not have an HTTPS element at the start of the URL this means the link is not secure. All information passed from the browser to the web server will not be encrypted.
  • Malicious links have been the bread-and-butter of hackers for many years. Sent via spam emails, listed on forums and anywhere with a large public following. They can plant the seeds of significant data collection. If you see malicious links, perhaps an email from somebody you don’t recognise, avoid them like the plague!

These are just some of the relatively simple ways in which you avoid SSL stripping hacks.

 

Summary

Unfortunately, many people assume that if they are able to see a website on their browser then there is no danger. If they typed in the correct HTTPS URL then many feel even more secure. Even if the URL then changes to a simple HTTP variation. Many successful hackers play on the fact that the majority of surfers believe “it will never happen to me”. The online arena is doing as much as possible to alleviate the threat of man in the middle attacks. However, consumers do need to remain vigilant.

One interesting development of late has been the automatic addition of certain top-level domain extensions such as .app to the HSTS preload list. So, anyone who uses an .app URL will automatically be protected from man in the middle attacks. This is primarily because the browser will only accept the HTTPS link. It is something which the industry will no doubt need to expand upon. Especially as the continuous and brutal fight between cyber criminals and cyber security companies continues.