SSL Stripping

A man-in-the-middle attack in which an attacker positioned between a client and server intercepts an HTTP request and forwards it to the server over HTTPS, while serving the response to the client over plain HTTP. The client sees HTTP but the server believes it is communicating securely. SSL stripping was demonstrated by Moxie Marlinspike in 2009 and is effectively prevented by HTTP Strict Transport Security (HSTS), which instructs browsers to always use HTTPS for the domain, and by HSTS preloading, which bakes the rule into browsers before the first connection is made.