How does sslstrip work?

599    Asked by AnishaDalal in Cyber Security , Asked on Sep 27, 2022

I've been reading up on SSLstrip and I'm not 100% sure on my understanding of how it works.


A lot of documentation seems to indicate that it simply replaces occurrences of "https" with "http" in traffic that it has access to. So a URL passing through such as "https://twitter.com" would be passed on to the victim as "http://twitter.com".


At this point does SSLstrip continue to communicate with Twitter via HTTPS on our behalf? Something like this:


Victim  <== HTTP ==>  Attacker  <== HTTPS ==>  Twitter

Or is it just the fact that the client is now communicating with Twitter over HTTP that gives us access to the traffic?


Victim  <== HTTP ==>  Attacker  <== HTTP ==>  Twitter

My guess is it would be the first option where the Attacker continues to communicate with Twitter via HTTPS as it is enforced by Twitter but I would just like some clarification. 

Answered by Andrew Jenkins

You should watch Moxie Marlinspike's talk Defeating SSL using SSLStrip. In short SSLStrip is a type of MITM attack that forces a victim's browser into communicating with an adversary in plain-text over HTTP, and the adversary proxies the modified content from an HTTPS server. To do this, SSLStrip is "stripping" https:// URLs and turning them into http:// URLs.


HSTS is a proposed solution to this problem.



Your Answer

Interviews

Parent Categories