SSL

What do you know about SSL Strip?

August 17, 2017 | By Comodo SSL

SSL strip is a code that downgrades a HTTPS website to HTTP. Ever since the introduction of SSL certificate in the market for commercial purpose, it has gone through a variable phase of up gradation, and they claim to totally fool proof with high-level encryption. Nevertheless, this regular up gradation of SSL certificate has not deterred the cyber criminals and the founder of SSL strip Moxie Marlinspike from finding a way to steal user data. Let’s get a brief about Marlinspike, the man behind this.

SSL Strip

Marlinspike is a renowned computer security researcher who advocates strong opinion about cryptography and privacy-enhancing-technology. He is not a hacker. Marlinespike was the first who came up with this flaw of SSL weakness. He raised his doubt about SSL weakness at the first ever Black Hat Information security event. SSL Strip is notorious, but before we discuss the vulnerabilities, let’s throw some light how it compromises a secure connection. But you can easily prevent it.

How it Works?

SSL Strip intercepts and redirects all the traffic that comes into a website towards a proxy created by the hacker. So the scenario is like they create a connection between your computer and the proxy server. Without SSL Strip you only receive the encrypted data, which cannot be decoded.

Once the SSL Strip is added to the website it changes the entire behavior drastically. When the website connects to the server with the Strip, the user will not know that an actual attack is taking place. The victim will not get any alert from the browser indicating about SSL certificate error. So how is that possible that SSL Strip is able to trick the browser and the server.

Actually, it is not easy to track these changes or attack if the user is able to notice carefully how he is redirected from one place to another just by following the URL. For instance, you land up on an e-commerce website for online shopping, for example. http://www.yourshoppingdomain.com, the browser connects you to the attacker’s machines. The attacker will forward the victim’s to the e-commerce server, and if you can notice you will receive a secure HTTPS payment gateway page, like https://yourshoppingdomain.com.

This is the time when the hacker has complete control of your transaction over the payment page. From HTTPS the attacker downgrades it to HTTP and redirects it back to the victim’s browser. Unaware of these minor changes in the URL the victim completes his transaction on http://www.yourshoppingdomain.com. All the data and information is now exchanged in plain text, which the attacker can easily intercept. On the other hand, the browser thinks it has just finished a completely secure transaction successfully. Yes, right, a secure transaction did happen, but it was with the hacker’s system who is in the middle of all this game, not the real user

How to prevent your website from SSL Strip

The best way to ensure that you are not in the middle of any such attack is to secure your website with SSL Technology throughout the website. For your information, SSL strip works on such website that does not encrypt pages after you log in. Websites with both HTTP and HTTPS are prone to attack, so as said above securing it with SSL certificate is the best way to ensure you are safe. Always ensure that your data like pictures, files, videos are always hosted on HTTPS. We have a new protocol that ensures SSL Strip is Strict Transport Security (HSTS). This is a method that ensures that your website always connects through HTTPS and not HTTP.

Compare Types of SSL Certificate

Posted in SSL,Technology

Be Sociable, Share!

Leave a Comment


 


* fields are mandatory