0

Been trying to wrap my head around SSL stripping.

An explanation here writes:

Keep in mind, however, that when you install SSL, you’re essentially creating a duplicate of your website with HTTPS URLs. Those original HTTP URLs still exist, though. Usually, you use 301 or 302 redirects to ensure users can’t reach the HTTP site, but if an attacker can manipulate the redirect, they can still send the user to that page.

How is it possible to get the user to the HTTP page if the server does an automatic redirect?

I am a newbie at networking and attacks so any help is appreciated helping me wrap my head around this!

schroeder
  • 123,438
  • 55
  • 284
  • 319
banonazna
  • 1
  • 1
  • "if an attacker can manipulate the redirect" -- that's the answer to your second question. Are you asking *how* an attacker can manipulate? – schroeder Apr 24 '21 at 07:51
  • "Clone" means a copy of the site. Since this is a short answer and basically a quick definition, And since your guess at what clone means is wrong, I've removed that part of the question to focus on the meatier part. – schroeder Apr 24 '21 at 07:53
  • OP, the initial request by the victim must by by http (not https) for the sslstrip attack to work. See http://www.youtube.com/watch?v=MFol6IMbZ7Y for more info. – mti2935 Apr 24 '21 at 11:00
  • 1
    OP, In the article that you cited, where it reads 'but if an attacker can manipulate the redirect', this only works is the victim's initial request is by http. The attacker then 'strips' the 301 or 302 redirect to the https site from the response, and instead returns the page, but with all the htttps links changed to http. However, tf the victim makes the initial request by https, this attack doesn't work. This is why standards such as HSTS prevent sslstrip attacks. See https://blog.cloudflare.com/performing-preventing-ssl-stripping-a-plain-english-primer/ for more info. – mti2935 Apr 24 '21 at 13:32
  • @schroeder yes, that's my main question, apologies! _How_ does the attacker manipulate the redirect? fundamentally, how is the stripped version of the page being served back to the client from the MITM? – banonazna Apr 24 '21 at 15:38
  • @mti2935 I understand the basic setup, intercepting the HTTP request and becoming a MITM by serving the client back HTTP pages. my question is _how_ is that possible? how is the stripped version of a page sent back to the client? how is the redirect manipulated? – banonazna Apr 24 '21 at 15:44
  • OP, it's possible if the attacker is between the client and the server, and the client makes the request by HTTP (and not HTTPS). In this case, the attacker can manipulate the request and/or the response in any way he wants. – mti2935 Apr 24 '21 at 16:57
  • So, the client makes the original request to `http://paypal.com`. Attacker passed the request through to Paypal. Paypal responds with a 301 redirect to `https://paypal.com`. Attacker ditches the redirect, and instead makes his own request to `https://paypal.com`. Attacker changes all of the https links in the response to http, and sends this back to the client. Client inputs his login credentials to the login form, and submits the form. You can guess what happens next... – mti2935 Apr 24 '21 at 16:58

0 Answers0