I’ve made quite a few posts on http and https, so this will be the last one for a while. If you’ve been following these recent posts, I mentioned that even https is not 100 percent secure. Albeit, it is very secure in that it will keep us protected most of the time; however, there are ways that hackers can exploit the SSL encryption protocol used to protect our http traffic. If you don’t know what https is, I suggest you read this before you move on.
So, should we bother with https? Of course! I’ll put this into a security perspective. You understand that the lock on your front door doesn’t keep you 100 percent safe, correct? Do you just throw the lock away because it’s not full-proof? No, you lock the door anyway. We continue to use https for the same reason. It’s very good protection, but there are ways around it. The reason we think it’s so secure is also the reason we let our guard down.
Hackers like to use “SSL stripping” to decrypt your https sessions. It gets its name because it strips the “s” out of https, which forcefully downgrades it to http. Hackers can use several different tools for SSL stripping. Let’s create a scenario to see how this attack unfolds.
Alice is at her local Starbucks and wants to order a coffee. She’s unsure about how much money she has left on her debit card, so she pulls out her bank’s smartphone app and signs in using Starbuck’s open Wi-Fi. We’ll just say it’s https://bank.com. What she doesn’t realize is that a hacker has already “hacked” her. The hacker Harry has established a man-in-the-middle attack. In a more benevolent situation, this is what should happen between Alice and the Bank’s Web server:
Kind of simplistic, but with the man-in-the-middle attack, we get something like this:
In this man-in-the-middle attack, the hacker’s proxy sits between the secure connection between Alice and her bank server. The hacker does this through ARP poisoning. So, essentially, the hacker’s proxy is forwarding all of Alice’s traffic and also accepting traffic intended to her on her behalf. If you’re having trouble understanding what this means, you can read about man-in-the-middle attacks via ARP poisoning here. It’s a very, very simple process.
After the hacker establishes the man-in-the-middle attack between Alice and her Web server, the hacker captures the https response from the Bank’s Web server. The sslstrip tool will create a fake, valid certificate that mimics the real certificate of the Bank’s Web server. Alice’s Web browser accepts the fake certificate. From there, the hacker downgrades the session from https to http. So, now Alice is actually on http://bank.com and not https://bank.com.
Alice, like most others, are not going to notice that the “s” is missing in the URL bar. So, she signs in with her credentials, which the hacker is now able to grab. Very soon, Alice will be missing money in her bank account.
Avicoder. (2016). SSLstrip for Newbies. Retrieved from https://avicoder.me/2016/02/22/SSLstrip-for-newbies/