Internet security is crucial today, and HTTPS encryption plays a major role in protecting our sensitive data. Unfortunately, there are methods that can circumvent this protection. One of them is SSL stripping, a sneaky type of attack that tries to strip our connections of their secure layer and force us to communicate unencrypted. What exactly does this mean, how does this attack work and how can we defend against it?
What is SSL Stripping and why is it dangerous?
SSL stripping is a technique that allows an attacker to remove HTTPS security from communication between a user and a website. In other words, if you visit a website that normally communicates using HTTPS, an attacker can make sure that your connection is converted back to unencrypted HTTP.
That is:
- Your passwords, payment details or personal information may be intercepted.
- An attacker can manipulate the content of the websites you see.
- You have no idea you’re the victim of an attack because everything looks normal.
This attack is extremely dangerous, especially in public WiFi networks where an attacker can easily get between you and the website you want to visit.
How did SSL stripping come about?
The first warning of this attack came in 2009, when security expert Moxie Marlinspike presented this method at the Black Hat conference. Marlinspike demonstrated that he could trick users into using insecure HTTP without them noticing.
The basic problem is that the initial connection to the site often uses unencrypted HTTP before redirecting to secure HTTPS. An attacker will exploit this moment to ensure that the redirect does not take place – leaving you communicating unencrypted the entire time.
How does SSL stripping work?
Let’s imagine a practical scenario:
- You enter the address of a website into your browser – for example, Web123.com.
- Your browser will first try to connect over HTTP (unencrypted connection).
- Normally the server would send a redirect to HTTPS, but the attacker intercepts your request.
- It establishes an encrypted connection to the server instead of you, but there remains an insecure HTTP between you and the attacker.
- An attacker can eavesdrop on your communications and intercept any data you send – passwords, emails, payment details, etc.
This process is completely invisible to the average user. The page looks the same as always, only HTTPS disappears from the address bar.
What tools do attackers use?
There are special software tools that allow attackers to perform SSL stripping. The most famous is sslstrip, which was created by Marlinspike. Other methods include:
- ARP spoofing – allows an attacker to redirect network traffic through his device.
- DNS manipulation – an attacker changes the path where requests are routed.
- Fake WiFi networks – an attacker creates a fake WiFi hotspot that looks like a trusted network (e.g. “Hotel WiFi”).
How to defend against SSL stripping?
SSL stripping is dangerous, but there are ways to protect against it:
1. Use HSTS (HTTP Strict Transport Security)
Websites can implement HSTS, which means that your browser remembers to always open the page over HTTPS. Even if an attacker intercepts your first request, HSTS will ensure that no insecure connections are made.
2. Always check HTTPS in the address bar
If the site does not contain HTTPS and you know it should be secure, this can be suspicious.
3. Use extensions like HTTPS Everywhere
The formerly popular HTTPS Everywhere tool from the Electronic Frontier Foundation (EFF) forces browsers to use HTTPS wherever possible.
4. Avoid public WiFi networks
If you must use a public WiFi network, never make online payments or enter passwords without a VPN on!
5. Always use a VPN against SSL Stripping
A VPN (virtual private network) encrypts all your internet traffic, ensuring that an attacker can’t see any of your data or carry out a man-in-the-middle attack.
| VPN Name | Discount | Trial Link |
|---|---|---|
| NordVPN | 74% off + 3 months free | Try NordVPN |
| Surfshark | 87% off + 4 months free | Try Surfshark |
| CyberGhost | 82% off + 4 months free | Try CyberGhost |
| Private Internet Access | 85% off + 4 months free | Try PIA VPN |
| ExpressVPN | 61% off + 6 months free | Try ExpressVPN |
6. Keep your software and browser up to date
Browser manufacturers are constantly improving security measures. If you’re using outdated software, you’re more vulnerable.
The future of security against SSL stripping
Internet security is constantly evolving, and new versions of protocols such as TLS 1.3 provide better protection against SSL stripping attacks. Web developers and browser operators are implementing ever better security mechanisms to prevent users from making unwanted connections over HTTP.
For example, Google Chrome and Mozilla Firefox have already started blocking insecure HTTP sites and warning users against using them.
Conclusion
SSL stripping is dangerous, but if you know how it works and how to prevent it, you can greatly reduce your risk of becoming a victim. Today’s internet is full of threats, but with the right habits – like checking HTTPS, using a VPN, or avoiding public WiFi networks – you can effectively protect yourself.
Whether you’re a regular user or manage a website, security should always be a top priority.
