SSL Strip - SSLMagic

What is the SSL Strip and How You Can Prevent It

Since the first launch of SSL certificates in the business market, SSL Certificates have experienced significant security updates, and now claim a practically unbreakable level of encryption.

Though, the nonstop Positive SSL EV certificates, haven’t debilitated negative attackers to think of inventive approaches to attempt to steal the encoded information. Despite the fact that we’ve previously written about infamous man-in-the-middle attacks, and SSL sniffing, but one specific sort of MitM attack merits its own article. Please give a reading to SSL Strip, a program that downgrades a site from HTTPS to HTTP. Initially a brief background of the author, Moxie Marlinspike is given.

Moxie Marlinspike, an American computer analyst and cypher punk originally showed how one can bypass HTTPS security. It is a risky strategy that can incite colossal complications from a client’s perspective.

Marlinspike is far from being just a hacker. Actually, he is a notable American computer security researcher. He advocates the broad use of solid cryptography and PET (protection improving advancements). In year 2009, he talked about this hazardous SSL weakness for the first time the Black Hat data security

How it works?

This tool would catch HTTP traffic and whenever spotted diverts or connects to websites utilizing HTTPS, it would immediately strip them away.

Rather than the victim interfacing straightforwardly to a site; the victim would get linked with the attacker, and the assailant would start the connection back to the site. This assault is known Man-in-the-Middle attack.

What the SSL Strip function is bit unnerving, however here is a good news, you can without much of a stretch prevent it. Before we uncover its solution, let’s give a reading to how the SSL Strip compromises the security connections.

Why SSL Strip is so dangerous?

SSL Strip reroutes all the traffic originating from a victim’s PC towards an intermediary made by the attacker. To be more clear, put yourself in the shoes of the attacker. We have built a connection between the prey and the proxy server. It can capture all the traffic that streams to us. Without utilizing the SSL Strip we would essentially get the scrambled information, which we won’t have the option to unravel.

Be that as it may, things change radically once we include the SSL Strip in this mix. On the off chance that somebody interfaces with our intermediary server, with the Strip running in it, the victim won’t get any warning or alert from the browser about the SSL Certificate blunder. He/she won’t have any doubt that a real assault is occurring. So by what method can the SSL Strip stunt both the browser and the site’s server?

The Strip exploits the manner in which most clients come to SSL sites. Most of visitor’s interface with a site’s page that redirects (ex: the 302 divert), or they show up on a Comodo EV SSL Certificate page by means of a connection from a non-SSL site. If by chance, the victim requires for example, to purchase a computerized item and types the URL in the address bar e.g, the browser associates with the victim computer and waits for a reaction from the server. The victim, thusly, forwards the victim’s solicitation to the online shop’s server and gets the secure HTTPS payment page. For example:

Now, the assailant has unlimited authority over the protected payment page. He downgrades it from HTTPS to HTTP and sends it back to the victim’s browser. The browser is presently diverted to From now onwards, all the victim’s information will be transferred in plain content format, and the attacker will have the option to catch it. In the mean time, the site’s server will imagine that it has effectively launched the protected connection. It did that without a doubt, but with the attacker’s machine, not the victim’s one.

Instructions to shield your site from SSL Strip

Because of its tendency, the SSL Strip can work only on sites that don’t encode pages beyond the login page. Sites which use both HTTP and HTTPS in their configuration are inclined to different security threats including the SSL Strip. To remain on safe side, consistently utilize a SSL Certificate on the whole site. At the end of the day, make a point to have all your content, for example, pictures, documents and recordings on HTTPS. Another layer of security fit for halting the Strip is HSTS (Strict Transport Security). This component teaches the browser to consistently link by means of HTTPS and not HTTP.

HSTS Preloading

One of the deficiencies of HSTS is the way that it requires a previous link to know to consistently interface securely to a specific site. At the point when the visitor initially connects with the site, they won’t have received the HSTS rule that advises them to consistently utilize HTTPS. Just on ensuing connections will the visitor’s browser, be cognizant of the HSTS rule that requires them to interface over HTTPS.

Different instruments of assaulting HSTS have been investigated; for instance by seizing the protocol used to the sync a PC’s time (NTP), it  is very well conceivable to set a PCs date and time to one in the future. This date and time can be set to a value when the HSTS rule has lapsed and along these lines bypassing HSTS.

HSTS Preload Lists are one possible solution to assist with these issues, they viably work by hardcoding a list of sites that should be linked to utilizing HTTPS only. Websites with HSTS enabled can be submitted to the Chrome HSTS Preload List at; which is additionally utilized as the premise of the preload records utilized in different browsers.

All the more Still to be Done

Leonardo Nve resuscitated SSLStrip in another adaptation called SSLStrip+, with the capacity to avoid HSTS. At the point when a site is associated to over a decoded HTTP link, SSLStrip+ will search for connections to HTTPS locales. At the point when a connection is found to a HTTPS site, it is modified to HTTP and analytically the domain is changed to a counterfeit domain which isn’t on the HSTS Preload list.

Leave a Comment

Your email address will not be published. Required fields are marked *