SSLstrip Prevention: Enforcing HTTPS

TL;DR

Forcing your website to use HTTPS only (redirecting all HTTP requests to HTTPS) is a very effective way to prevent SSLstrip attacks. While not foolproof, it significantly raises the bar for attackers and protects most users.

How SSLstrip Works

SSLstrip intercepts an unencrypted connection between a user’s browser and your website. It then downgrades the connection to HTTP, allowing the attacker to see all data in plain text. The user thinks they are still connected securely (because of the padlock icon), but they aren’t.

Why HTTPS Enforcement Helps

If your site *only* accepts HTTPS connections, SSLstrip can’t work because there’s no initial HTTP connection to intercept and downgrade. The browser will only establish a secure connection from the start.

Steps to Enforce HTTPS

1. Get an SSL Certificate: If you don’t already have one, obtain an SSL/TLS certificate from a trusted Certificate Authority (CA). Let’s Encrypt is a popular free option.
2. Configure Your Web Server: You need to tell your web server to redirect all HTTP requests to HTTPS. The exact method depends on your server software.
   • Apache (.htaccess): Add the following code to your .htaccess file:

     RewriteEngine On
     RewriteCond %{HTTPS} off
     RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

   • Nginx: Add the following to your server block configuration file:

     server {
       listen 80;
       ... other config ...
       return 301 https://$host$request_uri;
     }
     

   • Node.js (Express): Use middleware to redirect HTTP requests.

     const express = require('express');
     const app = express();
     
     app.use((req, res, next) => {
       if (req.headers['x-forwarded-proto'] !== 'https') {
         res.redirect(`https://${req.hostname}${req.url}`);
       } else {
         next();
       }
     });

3. HSTS (Highly Recommended): Implement HTTP Strict Transport Security (HSTS). This tells browsers to *always* connect to your site via HTTPS, even if a user types http://. Add the following header:

   Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

   Important: Be careful with HSTS! Once enabled, it’s difficult to disable without causing issues for users. Start with a short max-age and gradually increase it.

4. Redirect Mixed Content: Ensure all resources (images, scripts, stylesheets) on your website are loaded over HTTPS. Browsers will block mixed content (HTTP resources on an HTTPS page), potentially breaking functionality.
   • Check your browser’s developer tools for warnings about mixed content.
   • Update any hardcoded HTTP URLs to HTTPS.
5. Content Security Policy (CSP): Implement a Content Security Policy (CSP) header to further control which resources the browser is allowed to load, reducing the risk of attacks.
6. Test Thoroughly: After implementing these changes, test your website extensively in different browsers and devices to ensure everything works correctly. Use online tools like SSL Labs to check your SSL configuration.

Limitations

HTTPS enforcement isn’t a silver bullet:

• Man-in-the-Middle Attacks: A sophisticated attacker with control over the user’s network could still potentially bypass HTTPS, but this is much more difficult.
• Initial Connection: The very first connection to your site might be vulnerable if HSTS isn’t in place (though browsers are increasingly preloading HSTS policies).