HProxy: Client-Side Detection of SSL Stripping Attacks

  • Nick Nikiforakis
  • Yves Younan
  • Wouter Joosen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6201)


In today’s world wide web hundreds of thousands of companies use SSL to protect their customers’ transactions from potential eavesdroppers. Recently, a new attack against the common usage of SSL surfaced, SSL stripping. The attack is based on the fact that users almost never request secure pages explicitly but rather rely on the servers, to redirect them to the appropriate secure version of a particular website. An attacker, after becoming man-in-the-middle can suppress such messages and provide the user with “stripped” versions of the requested website forcing him to communicate over an insecure channel. In this paper, we analyze the ways that SSL stripping can be used by attackers and present a countermeasure against such attacks. We leverage the browser’s history to create a security profile for each visited website. Each profile contains information about the exact use of SSL at each website and all future connections to that site are validated against it. We show that SSL stripping attacks can be prevented with acceptable overhead and without support from web servers or trusted third parties.


MITM Detection SSL Stripping Browser Security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Almuhimedi, H., Bhan, A., Mohindra, D., Sunshine, J.: Toward Web Browsers that Make or Break Trust. In: Symposium Of Usable Privacy and Security (SOUPS) (2008)Google Scholar
  2. 2.
  3. 3.
    Chen, Y., Trappe, W., Martin, R.P.: Detecting and Localizing Wireless Spoofing Attacks. In: Proceedings of the Fourth Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (IEEE SECON 2007), San Diego, CA, USA (2007)Google Scholar
  4. 4.
    Chickenfoot for Firefox: Rewrite the Web, http://groups.csail.mit.edu/uid/chickenfoot/faq.html
  5. 5.
    Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: CHI 2006: Proceedings of the SIGCHI conference on Human Factors in computing systems, pp. 581–590. ACM, New York (2006)CrossRefGoogle Scholar
  6. 6.
  7. 7.
    Egele, M., Balduzzi, M., Kirda, E., Balzarotti, D., Kruegel, C.: A Solution for the Automated Detection of Clickjacking Attacks. In: Proceedings of ASIACCS, Beijing, China (April 2010)Google Scholar
  8. 8.
    Friedman, B., Hurley, D., Howe, D.C., Felten, E., Nissenbaum, H.: Users’ conceptions of web security: a comparative study. In: CHI 2002 extended abstracts on Human factors in computing systems, pp. 746–747. ACM, New York (2002)CrossRefGoogle Scholar
  9. 9.
    Guo, F., Chiueh, T.-c.: Sequence number-based MAC address spoof detection. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 309–329. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Hisao, S.: Tiny HTTP Proxy in Python, http://www.okisoft.co.jp/esc/python/proxy/
  11. 11.
    Klein, A.: Cross Site Scripting Explained, Sanctum White Paper (2002)Google Scholar
  12. 12.
    LaRoche, P., Nur Zincir-Heywood, A.: Genetic Programming Based WiFi Data Link Layer Attack Detection. In: CNSR 2006: Proceedings of the 4th Annual Communication Networks and Services Research Conference, Washington, DC, USA, pp. 285–292. IEEE Computer Society, Los Alamitos (2006)CrossRefGoogle Scholar
  13. 13.
    Marlinspike, M.: New Tricks for Defeating SSL in Practice. In: Proceedings of BlackHat 2009, DC (2009)Google Scholar
  14. 14.
    Martínez, A., Zurutuza, U., Uribeetxeberria, R., Fernández, M., Lizarraga, J., Serna, A., naki Vélez, I.: Beacon Frame Spoofing Attack Detection in IEEE 802.11 Networks. In: ARES 2008: Proceedings of the 2008 Third International Conference on Availability, Reliability and Security, Washington, DC, USA, pp. 520–525. IEEE Computer Society, Los Alamitos (2008)Google Scholar
  15. 15.
    Nachreiner, C.: Anatomy of an ARP Poisoning Attack, http://www.watchguard.com/infocenter/editorial/135324.asp
  16. 16.
  17. 17.
    Ruderman, J.: JavaScript Security: Signed Scripts, http://www.mozilla.org/projects/security/components/signed-scripts.html
  18. 18.
    Sheng, Y., Tan, K., Chen, G., Kotz, D., Campbell, A.: Detecting 802.11 MAC Layer Spoofing Using Received Signal Strength. In: Proceedings of INFOCOM 2008, pp. 1768–1776 (2008)Google Scholar
  19. 19.
    Sotirov, A.: Heap Feng Shui in Javascript. In: Proceedings of BlackHat Europe 2007 (2007)Google Scholar
  20. 20.
  21. 21.
    Moxie Marlinspike’s sslstrip, http://www.thoughtcrime.org/software/sslstrip/
  22. 22.
    Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In: Proceedings of Usenix Security (2009)Google Scholar
  23. 23.
    Suski, W.C., Temple, M.A., Mendenhall, M.J., Mills, R.F.: Using Spectral Fingerprints to Improve Wireless Network Security. In: IEEE Global Telecommunications Conference, IEEE GLOBECOM 2008, 30-December 4, pp. 1–5 (2008)Google Scholar
  24. 24.
    Alexa Top 500 Global Sites, http://www.alexa.com/topsites
  25. 25.
    Walker, J.R., Submission Page Jesse Walker, Intel Corporation: Unsafe at any key size; An analysis of the WEP encapsulation (2000)Google Scholar
  26. 26.
    Wright, J.: Detecting Wireless LAN MAC Address Spoofing (2003)Google Scholar
  27. 27.
    Xia, H., Brustoloni, J.C.: Hardening Web browsers against man-in-the-middle and eavesdropping attacks. In: WWW 2005: Proceedings of the 14th international conference on World Wide Web, pp. 489–498. ACM, New York (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Nick Nikiforakis
    • 1
  • Yves Younan
    • 1
  • Wouter Joosen
    • 1
  1. 1.IBBT-DistriNetKatholieke Universiteit LeuvenLeuvenBelgium

Personalised recommendations