How does SSLstrip work?

  • I've been reading up on SSLstrip and I'm not 100% sure on my understanding of how it works.

    A lot of documentation seems to indicate that it simply replaces occurrences of "https" with "http" in traffic that it has access to. So a URL passing through such as "https://twitter.com" would be passed on the to victim as "http://twitter.com".

    At this point does SSLstrip continue to communicate with Twitter via HTTPS on our behalf? Something like this:

    Victim  <== HTTP ==>  Attacker  <== HTTPS ==>  Twitter
    

    Or is it just the fact that the client is now communicating with Twitter over HTTP that gives us access to the traffic?

    Victim  <== HTTP ==>  Attacker  <== HTTP ==>  Twitter
    

    My guess is it would be the first option where the Attacker continues to communicate with Twitter via HTTPS as it is enforced by Twitter but I would just like some clarification, thanks.

    Your first diagram is right.

  • rook

    rook Correct answer

    7 years ago

    You should watch Moxie Marlinspike's talk Defeating SSL using SSLStrip. In short SSLStrip is a type of MITM attack that forces a victim's browser into communicating with an adversary in plain-text over HTTP, and the adversary proxies the modified content from an HTTPS server. To do this, SSLStrip is "stripping" https:// URLs and turning them into http:// URLs.

    HSTS is a proposed solution to this problem.

    Brilliant, that answered my question. It was actually problems I encountered with HSTS in Chrome and it's preloaded list of sites that got me questioning how it works. Thanks!

    Another solution is HTTPS-Everywhere.

    HTTPS-Everywhere isn't really a solution to this problem. It can mitigate it for sites with explicit rules defined, but that's not really a scalable solution.

    HTTPS-Everywhere is a solution when provider start serving TLS only! Then there is no need to upgrade the connection and no possibility to downgrade it in this way. And there a some pages proving that TLS-only is perfectly doable.

    @FlorianLoch Whether the site accepts HTTP connections (HSTS or not) has nothing to do with this problem. Just because you can't connect to the site with HTTP doesn't mean you can't connect to the attacker with HTTP.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM