“How to stay safe online!” is a typical headline these days. We are told repeatedly that free public Wi-Fi is “dangerous,” that our private data is “vulnerable,” and that we should take steps to “protect” ourselves. These terms, however, are vague. As a result, the threat of “being hacked” can seem distant and irrelevant.
That’s why we’re here to explain a very real and specific type of cybersecurity threat that could affect you if you’re a fan of using public Wi-Fi networks.
The cybersecurity threat in question is a man-in-the-middle attack (MITM) known as SSL stripping.. According to a cybersecurity expert at ExpressVPN, there are two types of SSL-based attacks. They are SSL stripping and SSL downgrading. In SSL downgrading, a hacker attempts to trick the server into abandoning an encrypted connection in favor of a less secure connection. Below, we’ll explain what SSL stripping is.
What is SSL stripping?
With a $20 wireless adapter and a set of free penetration testing tools running on Kali Linux of a typical laptop, a hacker can identify computers on a wireless network and listen to its traffic. This means that the hacker can see a user’s request to visit www.gmail.com, intercept it, and forward it to Gmail from their computer, pretending to be the user.
Ideally, Gmail wants its users to use HTTPS, so it sends back the login page encrypted using SSL, but because the hacker is the man-in-the-middle, they can “strip” (i.e., remove) the SSL before forwarding it to the user. None the wiser, the user y types in their password and hits “Sign in,” not realizing that they’re sending it in clear text straight to the hacker. The hacker then adds back the SSL encryption before forwarding it to Gmail, successfully completing their mission of stealing confidential information.
History of SSL stripping attacks
SSL stripping is quite well known among security professionals. It was first introduced at the 2009 Black Hat conference in Washington DC by Moxie Marlinspike, better known as the security genius behind the encrypted chat app Signal. Amazingly, the attack still works despite being more than 8 years old!
What did change is that some sites have implemented a new protocol called HSTS (HTTP Strict Transport Security) designed to thwart SSL stripping. Sites that use HSTS will only allow the browser to make requests in HTTPS, not plaintext HTTP like the kind that the hacker above first intercepts from the user.
Thankfully, SSL stripping no longer works with Facebook or Gmail because they have completely switched to HTTPS and implemented HSTS. However, there are still many popular sites, like Hotmail, Amazon, eBay, and Citibank, that haven’t completely abandoned HTTP and thus aren’t yet eligible for HSTS.
How to detect SSL stripping
Many SSL strip attacks go undetected. However, there are ways to detect them. The best part? It’s not that difficult to do so. Here are some of the common signs:
- You were on a site with HTTPS before it got switched to HTTP.
- The padlock next to the web address bar is open and colored red.
- The design of the site looks off.
- Lots of spelling mistakes and grammatical errors on the site.
How the SSL strip attack works
Prior to being routed to the HTTPS version of a website, an internet user is usually connected to the HTTP version first. In SSL strip attacks, the hacker intercepts the connection before the user has a chance to connect to the HTTPS version.
Below, we look at some of the different methods of SSL stripping attacks.
SSL stripping attack methods
In an SSL proxy server attack, a hacker sits between the victim and a server. To intercept and steal data, the hacker must first gain access to the network the device is connected to. Then, they could choose to configure the proxy server settings to fit their needs or use a combination of the other types of SSL stripping attacks to gain access to the data they want.
Address resolution protocol (ARP) spoofing
An address resolution protocol (ARP) is a setting that enables a network to connect with an IP address and, in turn, MAC addresses. The MAC address is a globally unique number that is assigned to every single network interface card, this essentially serves as the device’s physical address and identifier.
Whenever devices on a network need to communicate with each other, they’ll need to know the MAC address of the other devices. To obtain the MAC address, devices will run an ARP to acquire the MAC address.
During an ARP spoofing attack—or ARP poisoning attack—a hacker sends a spoofed ARP message to their victim’s device to obtain its MAC address. Once this happens, the hacker can inspect all the data communicated by the victim before sending it to the initially intended device.
This YouTube video demonstrates better how an ARP spoofing attack works.
Targeting Wi-Fi networks
Through this method, cybercriminals create fake Wi-Fi networks to lure internet users into connecting to them. To make their networks more enticing, hackers can name their networks after established places like Starbucks or McDonald’s with actual free Wi-Fi networks.
Once a user has connected to their network, the hacker can then see all the communication that goes through their victim’s device and their network.
Potential risks of SSL stripping attacks
- Stolen information: Everything a user sends and receives to a website can be seen by a malicious hacker during an SSL stripping attack because all the information is essentially sent as plaintext and isn’t encrypted.
- Fraudulent transactions: Once they’ve managed to steal important information, a hacker can easily perform fraudulent transactions or alter communications between a website and its user.
- Inaccurate communications: Like fraudulent transactions, hackers can access various apps and files once they’ve stolen the credentials of a user and use them to spread misinformation.
Examples of SSL stripping attacks
Scenario 1: You were tricked into accessing the HTTP version of a site
In this scenario, a hacker sits between you and your connection. The hacker then downgrades your encryption from HTTPS to HTTP without you realizing it. You then input confidential information like your bank details or passwords from a work website thinking it’s safe.
Scenario 2: You visit an unsecured website
While you’re browsing through an online store, you notice that the pages don’t have a padlock in the URL bar and there’s a disclaimer saying that the connection is not secure. You think this is fine because you are not inputting any information yet.
When you get to check out, you notice that there still isn’t a padlock on the URL bar but you think you’ve purchased on this site before so it should be safe. In this example, a hacker could either create a fake site imitating a legitimate one or temporarily disrupt a secure connection to steal your information.
Scenario 3: Your recipient is not who you think they are
Say you work for a bank and need to transfer funds for a client from one account to another. After checking multiple times, the client tells you that their details are correct. Suddenly, you get a message from the “client” informing you that they’ve got an entirely different account and will need to you transfer money to that account instead. You then proceed to do so.
Unbeknownst to you, a hacker has successfully managed to reroute all your internet connections from your computer to theirs, intercepting all communications you had with others. Seeing this opportunity, the hacker then sends you their own bank account information so you send money to them instead.
How to prevent SSL stripping attacks
SSL stripping might seem like a tough attack to defend against, because it works on many devices and networks. You are susceptible to SSL stripping whether you’re on mobile or desktop, Windows or Mac, and it doesn’t matter whether you’re on free public Wi-Fi or a password-protected private network. You could even get hacked by your next-door neighbor snooping on your home Wi-Fi! (Some enterprise networks, like those of corporations or schools, are configured to guard against attacks like SSL stripping.)
If you’re tech-savvy enough to recognize the HTTPS padlock icon missing from your browser’s address bar, you may just catch an SSL stripper in the act. But, that kind of vigilance often isn’t enough:
Only visit sites with sitewide SSL
Websites often include SSL on website pages that require users to input sensitive information. However, cybersecurity experts recommend you to only visit websites that implement SSL encryption across their entire site, even when if it doesn’t require you to type in any information.
Stay educated on cybersecurity threats
One of the best ways to prevent yourself from the falling victim is to stay educated about common cybersecurity threats you could face while online. There are a number of blogs (including this one) that can keep you posted on the latest cyberattacks and how what to do if you encounter them. Using a VPN prevents SSL stripping
By connecting to a VPN, your internet traffic goes through a private and encrypted tunnel instead of on a public network that a hacker can listen in on. With a VPN, all of your internet traffic is protected so not even the initial request to a website that could be used to initiate an SSL strip is visible.
FAQ: About SSL stripping attacks
Is SSL really secure?
While sites secured with SSL certificates are generally safe, it’s still possible for a motivated and expert hacker to exploit the trust in these certificates through phishing methods.
Is SSL stripping able to attack an HTTPS connection?
Yes, SSL stripping can still occur if a website uses both HTTP and HTTPS connections. That said, it’s best to enable HTTPS across every page on your site.
Why are open Wi-Fi hotspots dangerous?
Public and open Wi-Fi hotspots are dangerous because they allow hackers to place themselves between the connection and its users. This means it’s easier for hackers to see all the information a user sends through the connection.