Copy
Latest updates from iWebz℠
View this email in your browser
Load Your Website Only Via HTTPS - July 14th, 2017

Dear <<First Name>>,

Did you know that a MITM attack can compromise & steal information from your website visitors even though you have HTTPS enabled on your website?
 

What is a MITM attack?


A man-in-the-middle attack is a type of cyberattack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other.

A man-in-the-middle attack allows a malicious actor to intercept, send and receive data meant for someone else, or not meant to be sent at all, without either outside party knowing until it is too late.

MITM attacks consist of TWO stages:
  1. Interception
  2. Decryption
Interception is achieved by fooling your visitor's PC/mobile into thinking they are connecting to your site directly when actually they are connecting via the criminal's proxy/gateway server.

To do this the visitor's device needs to be tricked into using the proxy server. This can happen in a variety of ways which includes connecting to free WiFi, but we will not get into that here as there is nothing you as the website owner can do about it.

The second step of Decryption, however, requires the website whose visitors are being targeted should load via HTTP. So even if you have setup your SSL certificate to enable HTTPS, if you have not restricted HTTP access on your website then your visitors can be targeted through an MITM attack known as SSLStrip.

While the criminal steals their card / login details, the visitors will think they are facing issues because they visited your website.
 

What is SSL strip?


SSL strip is a type of MITM attack that forces a victim’s browser into communicating with a proxy/gateway in plain-text over HTTP.



The criminal's proxy/gateway server communicates with server over regular SSL (HTTPS). The server does not know the difference. To do this, the SSLstrip proxy is “stripping” https://URLs and turning them into http://URLs when the visitor device communicates with their proxy.

However, if you website only loads via HTTPS i.e. you have disabled HTTP access to your website, then a SSL strip attack cannot happen.
 

How to block HTTP access to your website?


To block HTTP access to your website you can use one of the following methods:
  1. Enable HSTS on your web server
  2. Perform a HTTP to HTTPS redirect
For details we recommend you check out the relevant explanatory articles and guidelines available via links on our Books & Articles page


Best Regards,
Team iWebz

 
iWebz℠ - powered by the web - iwebz.host
 
Copyright © 2017 iWebz Retail Pvt. Ltd. OPC, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp