HTTPS Stripping

HTTPS Stripping forces a victim’s browser into communicating with an adversary in plaintext HTTP instead of the encrypted HTTPS (SSL). The attacker, placed between the server and the client, automatically converts any HTTPS request into an HTTP request.

What can happen?

An attacker can listen to conversations between a user and a server by preventing encryption from taking place, hence defeating the purpose of HTTPS.

Remediation

HTTP Strict Transport Security (HSTS) is a mechanism that enforces secure resource retrieval, even in the face of user mistakes (attempting to access your web site on port 80) and implementation errors (you or your developers place an insecure link into a secure page).

The best case scenario would be to disable the serving of content over HTTP completely. The only thing that should happen when the server notices a plain HTTP request is to redirect to the correct HTTPS equivalent.

Resources