SSL Stripping: Does HTTPS Everywhere Help?

TL;DR

HTTPS Everywhere is a good first step against SSL stripping attacks, but it’s not foolproof on its own. Modern browsers and HSTS are more effective defenses. Attackers can still bypass it in certain scenarios, especially if they control the network or have pre-existing malicious certificates.

What is an SSL Stripping Attack?

An SSL stripping attack downgrades a secure HTTPS connection to an insecure HTTP connection. The attacker sits between you and the website, intercepting your traffic. They then connect to the website using HTTPS but present you with an unencrypted HTTP version. This means your data (passwords, credit card details, etc.) is sent in plain text.

How Does HTTPS Everywhere Help?

HTTPS Everywhere is a browser extension that tries to force websites to use HTTPS whenever possible. It does this by rewriting requests to use https:// instead of http://. It uses a database of known HTTPS-supporting sites.

Why Isn’t HTTPS Everywhere Enough?

1. Network Control: If an attacker controls your network (e.g., public Wi-Fi), they can intercept and modify traffic before it reaches your browser, even with HTTPS Everywhere installed.
2. Man-in-the-Middle (MITM) Attacks: An attacker performing a MITM attack can present a fake certificate to your browser, bypassing the extension’s checks.
3. First Request Problem: If you initially connect to a website using HTTP, an SSL stripping attack can succeed before HTTPS Everywhere has a chance to kick in. The first request is vulnerable.
4. Database Limitations: The HTTPS Everywhere database isn’t always up-to-date. A new site might not be included yet.

Steps to Protect Yourself (Beyond HTTPS Everywhere)

1. HSTS (HTTP Strict Transport Security): This is the most effective defense. HSTS tells your browser to always connect to a website using HTTPS, even if you type http://. Websites need to enable HSTS on their servers. Modern browsers generally enforce this well.
   • Preload Lists: The HSTS Preload List is a list of websites that are hardcoded into browsers to always use HTTPS.
2. Always Check for the Lock Icon: Before entering sensitive information, verify that your browser displays a padlock icon in the address bar and that the website’s URL starts with https://.
3. Be Careful on Public Wi-Fi: Avoid using public Wi-Fi networks for sensitive transactions whenever possible. If you must use them, consider using a Virtual Private Network (VPN).
4. Keep Your Browser Updated: Browser updates often include security fixes that address vulnerabilities exploited by SSL stripping attacks.

   # Example command to update Chrome on Linux

   sudo apt update && sudo apt upgrade google-chrome-stable

5. Use a Reputable Antivirus/Security Suite: Some security suites include features that can detect and block MITM attacks.

Technical Details (For Advanced Users)

SSL stripping often involves redirecting traffic through a proxy server like mitmproxy or using tools to downgrade connections.

# Example mitmproxy command (basic usage - not for actual attacks!)

mitmproxy --host --port 8080

Attackers might also use DNS spoofing or ARP poisoning to redirect traffic.

Conclusion

HTTPS Everywhere is a useful tool, but it’s not a silver bullet. A layered approach combining HTTPS Everywhere with HSTS, careful browsing habits, and updated software provides the best protection against SSL stripping attacks and other cyber security threats.