SSL Enhancement

With the development of e-commerce, ssl protocol is more and more widely applied to various network services. It is one of key technologies to keep user’s data in secure transmission via internet. This document majorly focuses on “SSLStrip” which generates the most recent attack in the secure network connections. It strips out all the secure connections to unsecure plain connection. In this article we depict this attack and to nullify it, we have proposed a technique cum practical solution to strengthen data security by developing mozilla-firefox add-on and servlet code which will strengthen our defense against the https hijacking attacks.

💡 Research Summary

The paper addresses the growing reliance on SSL/TLS for securing e‑commerce and cloud services and focuses on the SSLStrip attack, a modern form of HTTPS hijacking. SSLStrip operates by intercepting an initial HTTP request, preventing the TLS handshake, and then serving the website over plain HTTP while rewriting all “https://” links to “http://”. This allows a man‑in‑the‑middle attacker to capture or modify data that users believe to be encrypted. The authors identify that the attack succeeds mainly because many sites do not enforce HSTS (HTTP Strict Transport Security) from the first visit, and browsers may not automatically upgrade insecure links for domains not pre‑loaded in HSTS lists.

To counter this threat, the authors propose a dual‑layer solution comprising a client‑side Firefox add‑on and a server‑side servlet filter. The Firefox add‑on uses the WebRequest API together with a content script to scan the DOM after each page load. It automatically rewrites any URL that begins with “http://” to “https://”, including dynamically generated JavaScript links and AJAX requests. When a rewrite is impossible or a certificate error is detected, the add‑on presents a warning dialog, allowing the user to make an informed decision. This approach goes beyond static URL replacement tools by handling runtime‑generated resources, thereby achieving near‑complete coverage of potential downgrade vectors.

On the server side, a Java servlet filter intercepts every incoming HTTP request. It issues an immediate 301 Moved Permanently response directing the client to the HTTPS version of the resource and appends a Strict‑Transport‑Security header with the directive “max‑age=31536000; includeSubDomains”. This forces compliant browsers to remember the HTTPS requirement for the domain and all its subdomains for one year. The authors also recommend registering the domain in the HSTS preload list to protect the very first connection, eliminating the window of vulnerability before the first HSTS header is received.

The implementation was evaluated in two controlled experiments. In the first, a local network attacker running SSLStrip attempted to downgrade connections to several popular e‑commerce sites while the Firefox add‑on was active. The add‑on successfully upgraded 100 % of the insecure links, and no plaintext traffic was captured. In the second experiment, the servlet filter was deployed on a test server; all HTTP requests were automatically redirected to HTTPS and the HSTS header was correctly delivered. Performance measurements showed an average page‑load overhead of only 2–3 %, indicating that the security gains come at minimal usability cost.

The paper also discusses limitations. Sites that lack an HSTS header on first contact remain vulnerable until the user visits the HTTPS version or the domain is pre‑loaded. The add‑on’s effectiveness is limited to desktop Firefox; mobile browsers and other platforms may not support the required APIs or may restrict the necessary permissions. Moreover, sophisticated attackers could combine SSLStrip with DNS spoofing or forged certificates, which would require additional defenses such as certificate pinning or network‑level anomaly detection.

In conclusion, the authors demonstrate that a lightweight client‑side Firefox extension combined with a server‑side HSTS‑enforcing servlet can effectively neutralize SSLStrip attacks and strengthen overall HTTPS security. The solution is straightforward to implement, incurs negligible performance penalties, and is applicable to both small‑scale and large‑scale web services. Future work is suggested to extend the approach to other browsers, mobile environments, and to integrate machine‑learning‑based real‑time attack detection for a more comprehensive defense framework.