HTTPS Man-in-the-Middle Attack and SSL Stripping Explained in Detail

1. Attack Overview
HTTPS Man-in-the-Middle Attack (HTTPS MITM) is a variant of the traditional MITM attack, specifically targeting encrypted HTTPS connections. Attackers use specific techniques to establish themselves between the client and server, enabling them to eavesdrop on, intercept, or tamper with communication data that should be encrypted. SSL Stripping is a key technical method among these.

2. Prerequisite Knowledge: HTTPS Connection Establishment Process
To understand the attack, one must first know the normal HTTPS connection establishment process:

• Step 1: Client initiates a request. The user enters https://example.com in the browser, and the browser initiates a connection request to the server's port 443.
• Step 2: SSL/TLS Handshake. The server returns its digital certificate. The browser verifies the certificate's validity (e.g., whether it's issued by a trusted Certificate Authority, if the domain name matches, if the certificate is within its validity period).
• Step 3: Key Negotiation. After successful verification, both parties negotiate a symmetric session key.
• Step 4: Encrypted Communication. All subsequent HTTP data is encrypted using this session key for transmission.

3. Attack Principle and Necessary Conditions

• Core Principle: The attacker needs to successfully position themselves on the communication path between the client and server. This is typically achieved through the following methods:
  • ARP Spoofing: Within a local area network, the attacker forges the gateway's MAC address, causing the victim's data packets to be sent to the attacker's machine first.
  • DNS Spoofing: Tampering with DNS resolution results, resolving the domain name the victim wants to visit to an IP address controlled by the attacker.
  • Malicious Wi-Fi Hotspots: The attacker sets up a free public Wi-Fi hotspot; all traffic from users connected to this hotspot passes through the attacker's device.
• Attack Target: Even with HTTPS, the attacker attempts to compromise its security, with the ultimate goal of obtaining plaintext communication content.

4. SSL Stripping Attack Explained in Detail
This is a "downgrade attack" aimed at preventing the client from establishing an HTTPS connection with the server, forcing it to use insecure HTTP instead.

• Attack Scenario: A user attempts to visit a website (e.g., an online banking site) that supports both HTTP and HTTPS, and typically uses an HTTP 302 redirect to move users from HTTP to HTTPS.
• Attack Steps:
  1. Positioning: The attacker has already become the man-in-the-middle via ARP spoofing or by controlling a Wi-Fi hotspot.
  2. Intercept HTTP Request: When the victim types http://example.com (note: HTTP) or even just example.com (the browser might default to trying HTTP first) into their browser, this request is first intercepted by the attacker.
  3. Playing a "Dual Role":
     • To the Client: The attacker pretends to be the server for example.com and establishes a plain HTTP connection with the victim.
     • To the Server: The attacker establishes a normal HTTPS connection with the real example.com server using their own identity.
  4. Block the Redirect: When the real server returns a "302 Found" redirect response instructing the browser to jump to https://example.com, this response is intercepted by the attacker. The attacker discards this redirect instruction.
  5. Forge Response: The attacker, acting as the server, returns a seemingly normal HTTP page to the victim's browser (this page might be forged by the attacker, or obtained from the real server via HTTPS, decrypted, and then passed back via HTTP).
  6. Maintain Connection: Thereafter, all communication occurs within the "Victim <--(HTTP)--> Attacker <--(HTTPS)--> Server" channel. The victim's browser address bar shows http://... with no security lock icon, but the user might not notice this, especially if the attacker has carefully forged the page styling.
  7. Result: All the victim's sensitive data (e.g., username, password) is transmitted in plaintext between the victim and the attacker, easily captured by the attacker.

5. Defense Measures
Defense requires a joint effort from website administrators and users.

• For Website Administrators (The Most Effective Defense):

  • Enforce HSTS: This is the core mechanism against SSL Stripping.
    • Principle: The website sets the Strict-Transport-Security: max-age=31536000 header in its HTTPS response. Upon receiving this header, the browser will, for the duration specified by max-age, automatically convert all requests for that site to HTTPS internally before initiating them, even if the user types HTTP.
    • Key Feature: Preload List: Website administrators can submit their domain to the browser's HSTS preload list. This list is built into the browser. Even on the user's first visit to the website, the browser will force the use of HTTPS, completely eliminating the risk of SSL stripping during the initial visit.

• For Users:

  • Cultivate Good Habits: Always manually type https:// in the address bar or use bookmarks to save HTTPS links.
  • Be Wary of Security Warnings: Pay close attention to whether the lock icon appears in the address bar and if the browser indicates an insecure connection.
  • Avoid Untrusted Public Networks: For sensitive operations, try to use your own mobile data network.
  • Use a VPN: On public networks, encrypting all traffic via a VPN can prevent man-in-the-middle attacks within the same local network.

By understanding the principles of HTTPS Man-in-the-Middle attacks and SSL Stripping, we can better appreciate why enforcing HTTPS (through technologies like HSTS) is crucial for modern web security.