SSL Stripping
An attack that downgrades an encrypted HTTPS connection to unencrypted HTTP, allowing an attacker positioned between the user and server to intercept communications.
Also known as: HTTPS downgrade attack, TLS stripping, protocol downgrade
Last reviewed: 1 June 2026
SSL stripping is a man-in-the-middle attack technique that silently removes the encryption from a web session. When a user attempts to connect to an HTTPS site, the attacker — positioned on the same network or controlling a rogue access point — intercepts the initial request and maintains two separate connections: an unencrypted HTTP link to the victim and an encrypted HTTPS link to the real server. From the victim's perspective, the site may look normal, but their browser is communicating without encryption, giving the attacker full visibility of every request and response.
The attack exploits the fact that many users type a domain name without the 'https://' prefix, and the first connection attempt may be unencrypted. HTTP Strict Transport Security (HSTS) is the primary defence: when properly configured, HSTS instructs browsers to always use HTTPS for a given domain, even when the user doesn't specify it, making SSL stripping ineffective for HSTS-enabled sites.
Users should look for the padlock icon and 'https://' in their browser's address bar, be cautious on public Wi-Fi networks, and avoid logging into sensitive accounts on networks they do not control.
Examples
- An attacker operates a rogue Wi-Fi hotspot in a coffee shop and strips HTTPS from banking sessions, capturing login credentials from customers who connect to the free network.