SSL Stripping

Hey Nathan,

First of all thanks for being approachable. I did ask a question (may be a stupid one) on Udemy once and you answered it the next day. It definitely gave me confidence and hence here I am asking another one.

I am unable to visualize the situation in the below case. Please clarify!

In case of an SSL Stripping situation, the attacker is in the middle of the traffic of our network. As you had mentioned, it waits for the one of two events (302 redirect or visiting the website through a link). So, when we send the original HTTP connection, the server rejects it, saying “This should be an HTTPS connection” and sends it back to the client. Here, I have a couple of questions:

  1. Does the SSL Stripping apply for TLS? If it does not yet, is it possible, considering TLS uses an improved security as compared to SSL?

  2. When does the attacker exactly strip away the HTTPS and changes to HTTP? Does it happen when the server has sent the response stating 'It should be HTTPS" or Does it wait till the client sends another HTTPS request to the server, the server verifies, the client and the server establish an asymmetric encryption to authenticate, the key exchange process happens with the symmetric algorithm in place, data exchange happens through Hash and MACs, and then the attacker starts intercepting our activities?

  3. If it is the second case and if it is applicable for TLS, how does any attacker crack the above four (I am assuming MACs have it too) algorithms in place in such a short period of time?

  4. Or is it possible it doesn’t have to come to that? If a criminal is already in the middle of a network traffic (and I believe that is possible if the server has sent the response to establish an HTTPS connection but it never reaches the client), he may be already intercepting and possibly, changing the keys exchange between the client and the server and hence he doesn’t have to crack any algorithm at all.

Thanks
Rishabh

  1. Yes, SSL stripping does apply for TLS also. Nowadays, whenever someone talks about SSL, they mean SSL/TLS. TLS version 1.2 and 1.3 have been made secure by encrypting more parts to their headers but they are still vulnerable to SSL stripping in certain situations.

  2. Think of the attacker as a VPN server. Whenever you connect to the VPN, the request first goes to the VPN and then the website. In this scenario, the attacker acts as a middle man. The attacker has initiated the TLS connection to the server but it is decrypting the packets on his machine and sending it to you. So he knows and can modify the data.

  3. As I told above, the SSL/TLS handshake process has not tampered with at all because no one can break the advanced cipher suites that are used unless we get quantum technology. Performing SSL stripping nowadays has to do with exploiting HSTS.

You can read more about it here: https://blog.cloudflare.com/performing-preventing-ssl-stripping-a-plain-english-primer/