SSL Stripping Explained and How to Avoid It

Cybercrime continues to be on rise, and over half the consumer population has been a victim at some point. SSL stripping (otherwise known as an HTTPS downgrade) is a distinct type of man-in-the-middle (MitM) attack, and it puts your online security and privacy in jeopardy. Unfortunately, SSL stripping is a fairly easy way for malicious hackers to grab your important data, including financial information and passwords. 

Click on your browser address bar — you may not have paid much attention to the ‘s’ in ‘https’ before, but that’s one very important letter. Even if you know the difference between HTTP and HTTPS, you may not realize how simple it can be for an attacker to strip encryption to access your sensitive information if you’re not careful. 

You’re particularly vulnerable to SSL stripping when you connect to an unsecured Wi-Fi network, or even a WPA2-secured public Wi-Fi hotspot. All an attacker needs to execute a sophisticated MitM attack like this is a simple laptop. Let’s examine SSL stripping more closely and see what you can do to keep your information truly secure and private online.

Man-in-the-Middle Attacks on the Rise

Experts estimate more than a third of all cyberattacks we see today are man-in-the-middle attacks. Cybercriminals position themselves as interceptors between you and the destination web server. That allows the malicious hacker to access all your online communication. 

When Belgian researchers first discovered KRACK attacks (Key Reinstallation Attacks), the world realized even secured Wi-Fi connections aren’t secure. KRACK attacks rely on vulnerabilities in the WPA2 protocol to compromise the encryption key and the entire data network itself. As we’ll see below, SSL stripping is a type of MitM attack and has much in common with KRACK. 

Pro Tip: Use a secure VPN to protect against all kinds of man-in-the-middle attacks, including KRACK and SSL stripping. Take advantage of CyberGhost VPN’s 45-day money-back guarantee to enjoy end-to-end 256-bit AES encryption.

What is SSL Stripping?

A browser address bar with HTTPS visible
SSL stripping prevents an HTTP site from redirecting to a secure HTTPS page

Take a look at your web browser’s address bar and you’ll find a small padlock icon next to the web address. The icon indicates you have a secure connection through HTTPS, an application layer protocol on the internet that encrypts all information leaving your computer end-to-end. HTTPS uses SSL (Secure Socket Layer)/TLS (Transport Layer Security) to create a secure tunnel between you and the web server you’re accessing.

HTTP is another application layer protocol, but it’s simply plaintext — anyone on the network can read your traffic and steal your information. As the name suggests, SSL stripping is when an attacker strips away your connection’s encryption (SSL/TLS), which exposes all your data for third parties to see. 

In an SSL stripping attack, the malicious hacker ‘downgrades’ your connection to a site from HTTPS to HTTP without you or the web server realizing. 

The malicious actor “sits” in the middle of the network, between your device and the remote web server (i.e. the website). In a normal scenario, your device would connect directly with the web server. However, in an SSL stripping attack, the malicious hacker imitates the server. The hacker’s device acts as a bridge. Neither you nor the remote web server realize someone is tampering in the middle.

You think you’re connected to the familiar, trusted website you entered the URL for in the browser address bar. You may enter your passwords, banking credentials, and other information without a second thought. Just like that, the cybercriminal has a way into your accounts.

Ghostie communicates with a server while a malicious intruder listens.
Watch out, Ghosties! A cybercriminal is listening.

How does SSL Stripping Work?

SSL stripping exploits common vulnerabilities in how most people connect to websites, and in the way websites are often set up to behave. When we want to visit a specific website, we hardly ever enter the full URL, complete with a specified “https://” protocol scheme. We often just start with “www.” or even a domain keyword or two. 

When we don’t type the full “https://” address, the browser first defaults to the website’s HTTP version. If the site then supports HTTPS, it redirects the user (via a 302 redirection) to a secure site version. SSL stripping manipulates this 302 redirection. 

In the seconds that elapse between the HTTP site loading and the redirection to the HTTPS site, a malicious hacker can establish a connection to your device. The cybercriminal redirects you to their own proxy server rather than the secure HTTPS site.

Since the hacker’s proxy server connects to the website via a secure HTTPS connection, the server thinks everything’s set up just the way it should be. On the other hand the connection between your device and the hacker’s server is actually over HTTP, and thus, unsecured. 

In this SSL stripping example, you assume you’re on a trusted site like a bank portal, so you enter your credentials. Your sensitive details are passed on to the hacker’s proxy over an unencrypted channel. The criminal hacker logs all your information and uses it to establish a connection with the bank portal using your identity. 

How Does a Hacker Set up an SSL Stripping Attack? 

A malicious actor only needs to establish a bridging device between your device and the remote web server to pull off an SSL stripping attack. Let’s look at the different ways an attacker can accomplish this.

          • Using a proxy server: A proxy server acts like a gateway between a device and the internet or another network. A hacker can set up a discreet proxy server, routing all your requests for websites through that server and tampering with the connection.
          • Compromised networks and hotspots: An attacker can compromise a Wi-Fi or wired network, both secure and unsecured. Once that’s done, the hacker monitors all network communications on that network. Each time you connect to an unknown Ethernet or Wi-Fi network, say at the hotel or the airport, you risk experiencing a man-in-the-middle attack.
          • ARP spoofing attacks: A hacker can execute ARP spoofing to associate their MAC address with your IP address. When this happens, a hacker can impersonate your device and receive data on your behalf via your IP address.

Pro Tip: A VPN replaces your IP address with one from its own network. Use CyberGhost VPN to stop cybercriminals and third parties from detecting your real IP. Our military-grade encryption also makes your data absolutely unreadable, so your financial and personal information stays private.

Can You Protect a Website from SSL Stripping?

The key to foiling SSL stripping attacks is to enforce HTTPS end-to-end on all website pages. Many websites use HTTPS only for login pages, and then default to HTTP for other pages. Websites combining HTTP and HTTPS make it easy for cybercriminals to carry out attacks. 

We recommend always using HSTS (HTTP Strict Transport Security), because it’s a more stringent standard. HSTS requires all devices to use HTTPS or display an error when the user opens an unsecured site.

SSL Manager for sites hosted with SiteGround.
Most web hosts make it easy to install an SSL certificates.

Protect Yourself From SSL Stripping on Wi-Fi Networks

Whether you’re using your Wi-Fi at home, or you’re connecting to another network, you need protection against SSL stripping and other common scams or attacks. 

A secure VPN like CyberGhost is a simple way to safeguard yourself from HTTP downgrades, and to mitigate many other cybersecurity threats.  We encrypt your connection end-to-end in a secure tunnel using 256-bit AES encryption. 

Even if a would-be attacker tries to interfere with your connection, all they’ll see is garbled data. This protects against man-in-the-middle attacks including SSL stripping. When you use a VPN, it’s an additional security layer over HTTPS encryption and it protects any unsecured HTTP traffic too.

Further Tips to Protect Yourself From SSL Stripping

Stay alert while browsing the web and when clicking on links to protect yourself and your devices from SSL stripping attacks. Here are a few simple yet highly effective tips that can come in handy.

    • ️🔒 Avoid connecting to unknown or suspicious Wi-Fi networks. It’s easy for cybercrooks to launch attacks on public or free hotspots. Always use a secure VPN like CyberGhost if you need to access Wi-Fi hotspots.
    • ️🔒 Upgrade all your web connections to HTTPS-only. Configure your browser to only use secure connections when you visit websites. Most browsers today offer you the option to only use HTTPS, and they’ll display a warning if a site supports only HTTP (and has no secure version). This is a great way to avoid visiting a potentially dangerous site.
    • ️🔒 Check the URL field on your web browser regularly and look out for the padlock icon. The icon guarantees a secure connection. If you don’t see the padlock, don’t enter any sensitive information on the site.
    • ️🔒 Use bookmarks to save secure sites you frequently visit, like internet banking portals and social media sites. This way, you avoid mistyping URLs or visiting an unsecured website version.
    • ️🔒 Ignore pop-ups you encounter, even if they scream “your system is infected with a virus”. Many pop-ups are malicious and will make you more vulnerable to a man-in-the-middle attack, ransomware, or other online threats.
    • ️🔒 Inspect a website’s certificate by clicking on the padlock icon to ensure a legitimate authority issued it. Most browsers will automatically check certificate validity, but it’s a good idea to stay aware yourself. If a website certificate appears fraudulent, immediately leave the site.
    • ️🔒 Always use a VPN. It eliminates a cybercriminal’s ability to carry out man-in-the-middle attacks like SSL stripping. It hides your IP address, encrypts all your traffic, and creates a secure tunnel for your data.

Make SSL Stripping a Thing of the Past 

In SSL stripping, one missing ‘S’ marks the difference between your data staying secure or sitting in the hands of a malicious actor. While it is a significant threat we all face when we connect to websites, it’s also a threat we can easily protect against.

A cybercriminal needs access to your connection to carry out an HTTPS downgrade attack. Follow our safety tips above to protect yourself against SSL stripping. Get CyberGhost VPN to safeguard your data and prevent all kinds of man-in-the-middle attacks. We use ironclad encryption and give you a secure connection on any network — even public Wi-Fi.


What is SSL stripping?

SSL stripping is a man-in-the-middle attack (MiTM) that gives a cybercriminal access to your internet traffic, including logins and passwords. The malicious hacker sits between your device and the web server you think you’re  accessing.
SSL stripping is also known as HTTPS downgrade, because the attacker ‘downgrades’ your encryption from HTTPS to HTTP. Your data is no longer securely encrypted once the protocol is stripped to HTTP, so the cybercriminal can read all your traffic in plaintext. 

Take advantage of CyberGhost VPN’s 45-day money-back-guarantee to encrypt all your traffic and prevent SSL stripping.

Is SSL stripping a type of MiTM attack?

Yes, SSL stripping is a man-in-the-middle attack (MiTM). The attacker establishes a proxy server as a bridge between your device and a web server. Your device connects to the attacker’s server with HTTP, and the hacker’s device is connected to the website over an HTTPS secured connection. 

In SSL stripping, the cybercriminal captures all requests from your device and passes them on to the remote server, so neither you nor the website knows your data is in the wrong hands.

What is an example of SSL stripping?

You connect to a Wi-Fi hotspot and type in your bank portal’s URL, but you don’t specify an HTTPS protocol scheme. The browser first connects to the site using an HTTP (unsecured) scheme. 

But a malicious actor has rigged the Wi-Fi hotspot, so they sit between you and your destination URL on their proxy server. The bank responds to the attacker with its HTTPS sign-in page, and the attacker passes on an HTTP version to your device. 

The webpage looks entirely familiar and you enter your credentials to log in. Since your connection to the attacker’s proxy is unencrypted, they capture your login credentials. The attacker executes fraudulent transactions from your bank account with your credentials.

How can you protect against SSL stripping?

There are a number of things you can do to protect against SSL stripping. We recommend always using HTTPS when you browse the web so your connection is encrypted. This way, no attacker can view your sensitive data.

Install CyberGhost VPN to encrypt your internet connection, and to hide your real IP. You should also type in the full URL for websites (including https://), keep an eye out for the padlock icon in the browser bar, and ignore pop-ups. 

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*