10

Does sslstrip attack only work on websites which uses both HTTP and HTTPS? On Quora a commenter says that:

One thing to note is that, SSL Strip only works on websites which uses both HTTP & HTTPS. For example, Ebay, where the main page is over HTTP, but then it transfers to HTTPS for the login, purchase & so on. In order to defend against these attack, it is advised to use SSL throughout the site, in other words to use only HTTPS and not HTTP. Another way is using HSTS (Strict Transport Security), this will command browser to connect only through HTTPS and never via HTTP.

But I know that Google is not using both HTTP and HTTPS; they are just using HTTPS and also using HSTS header against sslstrip attacks. Does that mean that the comment above is false? I mean is SSLStrip attack still possible against a website that is only using HTTPS?

forest
  • 64,616
  • 20
  • 206
  • 257
Hasan
  • 425
  • 6
  • 14
  • Ssl is not possible on websites which dont use both, http and https – Tryna Learn Somethin Apr 11 '18 at 13:40
  • So why is google using HSTS against SSLStrip attacks? Google is using just HTTPS protocol. – Hasan Apr 11 '18 at 13:43
  • I'm not sure what you've been googling, but I googled `how does sslstrip work` and got pointed to [this question](https://security.stackexchange.com/questions/41988/how-does-sslstrip-work) which has a brief explanation, mentions that HSTS will defeat SSLStrip, and references a video explaining SSLStrip. Google also pointed me to [SSLStrip for Newbies](https://avicoder.me/2016/02/22/SSLstrip-for-newbies/) by Moxie Marlinspike. – Neil Smithline Apr 11 '18 at 13:43
  • 1
    @Hasan "Google is using just HTTPS protocol" I don't know where you got this idea but you're incorrect. When curling it doesn't even give me a redirect, but curling with a browser's user agent gives me a 302. – AndrolGenhald Apr 11 '18 at 14:10
  • 8
    Just to be clear here: The quote from Quora is incorrect. What protocols the server supports is of zero relevance in an sslstrip attack. It is the behaviour of the client that is important. Remember, it is the MITM and not the client that talks to the server if there is an attack. – Anders Apr 11 '18 at 14:12
  • @AndroLGenhald I used Burp and it showed me that google is using HSTS in response header: https://cdn.pbrd.co/images/Hggwzhr.png – Hasan Apr 12 '18 at 11:50
  • @Hasan No one is disputing that, I'm disputing your claim that Google doesn't use HTTP. Arminius and Anders have a more important point though; it doesn't matter if Google responds to HTTP requests, if you make an unencrypted request you're vulnerable to sslstrip. – AndrolGenhald Apr 12 '18 at 12:59

3 Answers3

24

SSL Strip only works on websites which uses both HTTP & HTTPS.

That's not accurate because it implies turning off HTTP support secures against the attack.

The point is that sslstrip steps in when the user requests a site over plain HTTP first. It's about how the browser attempts to connect to the server, not what the server supports. You're only safe if the browser doesn't attempt a plain HTTP connection at all (because of a HSTS directive it has seen earlier or because the website is in the browser's HSTS preload list).

I mean is SSLStrip attack still possible against a website that is only using HTTPS?

Yes. Let's say https://yourbank.example/ doesn't serve anything over plain HTTP. Now, I send you a link to http://yourbank.example/ anyway. When your browser attempts the plain request, I use sslstrip to intercept it and respond with a phishing site. As you see, it's irrelevant if the original site would have served any content over plain HTTP because I don't forward the request anyway.

Arminius
  • 43,922
  • 13
  • 140
  • 136
5

Sslstrip requires that the connection between the client and the sslstrip instance is done over plain HTTP. The connection from sslstrip to the server can be either HTTP and HTTPS.

This means that if the client first requests the site with plain HTTP then sslstrip works. If instead the clients starts already with HTTPS since it either knows that the site is only accessible by HTTPS or if the browser enforces HTTPS because of a HSTS policy (preloaded or from earlier visits) then sslstrip will not work.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
2

The answer:

Let’s take a scenario in which there is a Victim machine (A),an Attacker machine (B) and a server(C). SSL strip is running on the attacker machine, which is a proxy server. Hence, there is no direct connection between the victim and the server.

Victim A wants to transfer money from his account using an online banking service and he enters the following URL into the address bar of the browser:

www.foobank.com/online_banking

In the background, the victim’s browser that is connected to the attacker’s machine waits for the response from the server. Attacker B forwards the victim A’s request and waits for the response from the bank server. The connection between B and C is secure, which means that all the traffic that is transferred between them (B & C) is through the SSL tunnel.

The Bank server responds with the login page that has the following URL:

https://www.foobank.com/online_banking

At this stage, the attacker has access to the login page. Next, attacker(B) modifies the response from the server from https to http and sends it to victim (A), which results in the browser now being addressed to http://www.foobank.com/online_banking.

At this point, the victim has access to the internet banking login page with an insecure connection with the attacker. From this point onwards, all the victim’s requests go out in the Plain text format and the attacker can sniff the data and collect the credentials.

The Server thinks it has successfully established the connection, which in this scenario is between the attacker and the server (i.e., between B & C), while the victim (A) also thinks that it is a legitimate Server (C).

So

SSLStrip doesn't depend on the server's behavior, it depends on the client. If you can get the client to make the request over HTTP, instead of HTTPS, you can perform the attack, even if the server only supports HTTPS. HSTS prevents the browser from performing the plain HTTP request in the first place (on subsequent requests).

Conclusion:

Google is using only HTTPS and using HSTS header against SSLStrip attacks. Because SSLStrip attacks can occur even if web server is using only HTTPS.

Resource: https://avicoder.me/2016/02/22/SSLstrip-for-newbies/

Hasan
  • 425
  • 6
  • 14