1

I'm looking for clarification of some of the details of an SSL stripping attack.

My current understanding is that:

  1. The attacker sits between the victim and a server.

  2. When the attackers receives an HTTP request from the victim, the attacker sends the request to the server using HTTPS

  3. When the attacker receives the response from the server, it strips away the HTTPS links and then forwards the response to the victim using HTTP

These are some of the details I'm missing:

  1. The response from the server back to the attacker is in HTTPS and is encrypted. How is the attacker able to read the content to strip away the HTTPS links?

  2. Are the HTTPS links being stripped in the body of the response from the server?

  3. Does anything in the response header need to be changed before forwarding the response back to the victim?

AndrolGenhald
  • 15,696
  • 5
  • 45
  • 51
user137481
  • 113
  • 3

2 Answers2

3

Your understanding is correct.

  1. This is because the attacker established the HTTPS communication, so when the response from the web server comes to them it is decrypted and then forwarded to the victim.

  2. Yes, all HTTPS links in the body are replaced with HTTP links, as the Location header.

  3. sslstrip analyses the response headers and

    • removes accept-encoding

      I think this is so the attacker doesn't have to decompress and recompress every request from the client when analysing requests.

    • removes if-modified-since

      This is so the client has to make a full request to the server, even if the page hasn't been modified. This header needs to be removed because otherwise there is no complete request to the server and nothing to intercept.

    • removes cache-control

      This is for the same reason as if-modified-since, so the client doesn't try to load the page from a cache and avoid making a complete request to the request to the server.

    • changes link in Location header to HTTP
Joe
  • 2,764
  • 2
  • 13
  • 22
1

1: How is the attacker able to read the encrypted message?

The attacker is the one connecting directly to the server, not the victim, so the server sets up the encryption with the attacker.

2: Are the links stripped from the body of the message?

Yes. And since the attacker can already read the plaintext version, this is trivial.

3: Does the response header need to be changed?

Probably not. However, it's unlikely that the attacker will forward the server's headers directly to the victim, as this is extra work beyond just setting up a simple proxy server.

Ghedipunk
  • 6,050
  • 2
  • 25
  • 35