Detectify
Knowledge Base

Back to Knowledge Base

Support Center

HTTPS Stripping

Last Updated: Aug 05, 2016 12:23PM CEST

HTTPS Stripping forces a victim’s browser into communicating with an adversary in plaintext HTTP instead of the encrypted HTTPS (SSL). The attacker, placed between the server and the client, automatically converts any HTTPS request into an HTTP request.

What can happen?

An attacker can listen to conversations between a user and a server by preventing encryption from taking place, hence defeating the purpose of HTTPS.

Remediation

HTTP Strict Transport Security (HSTS) is a mechanism that enforces secure resource retrieval, even in the face of user mistakes (attempting to access your web site on port 80) and implementation errors (you or your developers place an insecure link into a secure page).

The best case scenario would be to disable the serving of content over HTTP completely. The only thing that should happen when the server notices a plain HTTP request is to redirect to the correct HTTPS equivalent.

Resources

support@detectify.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete