4

Can an SSLstrip attack take place even if the client types https:// instead of http:// ?

I have read that an attacker can monitor for HTTP requests and redirect them to HTTPS. But I am curious to know whether HTTPS requests can also be exploited.

S.L. Barth is on codidact.com
  • 5,524
  • 8
  • 40
  • 47
faraz khan
  • 329
  • 3
  • 12

3 Answers3

5

No, that is not possible. In case the user types 'https://', the secure tunnel is generated, and SSLStrip cannot interfere anymore.

SSLStrip works by intercepting HTTPS redirects sent from the server. SSLstrip then sets up a HTTPS connection with the server (the server thus thinks everything is ok), but keeps an HTTP connection with the victim. SSLStrip can only capture these HTTPS redirects if they are sent to the browser using plain HTTP. Otherwise, SSLStrip would be able to 'break into' the SSL tunnel, which it doesn't.

HSTS is an implementation that could be used to tell the browser to always connect via HTTPS (and thus to not rely on https redirects from the server anymore).

Michael
  • 5,483
  • 3
  • 35
  • 58
  • This is correct. The handshake for TLS/SSL occurs prior to any HSTS protocol (look up the OSI model regarding layer 3 & 4 (TLS) and layers 6 (HSTS). – jas- May 19 '15 at 11:52
0

This depends on how the site handles the user going straight to HTTPS.

If the site redirects back to plain HTTP at any point, then the SSL strip attack can succeed. Some sites only enforce https for pages they deem sensitive, like the checkout. They may purposely redirect their users to plain HTTP for other pages. If they do, then the user typing https does no good.

When HTTPS is used throughout, all communications are encrypted meaning that any SSL strip cannot work.

To protect against users forgetting to use the https URL in their browser a site can set an HSTS policy to tell the browser to use HTTPS for a certain time frame (eg. a year). It is possible to get your site listed in browser pre-load lists so that HSTS takes place immediately rather than only after their first visit.

SilverlightFox
  • 34,178
  • 6
  • 73
  • 190
-2

SSLstrip was a tool to test for MITM weaknesses agains the SSL protocol during the initial handshake process.

It performed a cipher downgrade attack which tricked the server into using a very weak encryption cipher leaving the connection open for further attacks with frequency analysis etc.

The weakness it tested against has long been fixed.

The handshake for TLS/SSL occurs prior to any HSTS protocol (look up the OSI model regarding layer 3 & 4 (TLS) and layers 6 (HSTS).

jas-
  • 939
  • 5
  • 9
  • 1
    -1. SSLStrip has nothing to do with a downgrade attack to very weak encryption. SSLStrip would just prevent the browser/server from setting up a HTTPS connection in the first place. – Michael May 19 '15 at 11:58
  • 2
    I stand corrected. – jas- May 19 '15 at 13:46