Does sslstrip work only on websites which use both HTTP and HTTPS?
SSL Strip only works on websites which uses both HTTP & HTTPS.
That's not accurate because it implies turning off HTTP support secures against the attack.
The point is that sslstrip steps in when the user requests a site over plain HTTP first. It's about how the browser attempts to connect to the server, not what the server supports. You're only safe if the browser doesn't attempt a plain HTTP connection at all (because of a HSTS directive it has seen earlier or because the website is in the browser's HSTS preload list).
I mean is SSLStrip attack still possible against a website that is only using HTTPS?
Yes. Let's say https://yourbank.example/ doesn't serve anything over plain HTTP. Now, I send you a link to http://yourbank.example/ anyway. When your browser attempts the plain request, I use sslstrip to intercept it and respond with a phishing site. As you see, it's irrelevant if the original site would have served any content over plain HTTP because I don't forward the request anyway.
Sslstrip requires that the connection between the client and the sslstrip instance is done over plain HTTP. The connection from sslstrip to the server can be either HTTP and HTTPS.
This means that if the client first requests the site with plain HTTP then sslstrip works. If instead the clients starts already with HTTPS since it either knows that the site is only accessible by HTTPS or if the browser enforces HTTPS because of a HSTS policy (preloaded or from earlier visits) then sslstrip will not work.
The answer:
Let’s take a scenario in which there is a Victim machine (A),an Attacker machine (B) and a server(C). SSL strip is running on the attacker machine, which is a proxy server. Hence, there is no direct connection between the victim and the server.
Victim A wants to transfer money from his account using an online banking service and he enters the following URL into the address bar of the browser:
www.foobank.com/online_banking
In the background, the victim’s browser that is connected to the attacker’s machine waits for the response from the server. Attacker B forwards the victim A’s request and waits for the response from the bank server. The connection between B and C is secure, which means that all the traffic that is transferred between them (B & C) is through the SSL tunnel.
The Bank server responds with the login page that has the following URL:
https://www.foobank.com/online_banking
At this stage, the attacker has access to the login page. Next, attacker(B) modifies the response from the server from https to http and sends it to victim (A), which results in the browser now being addressed to http://www.foobank.com/online_banking.
At this point, the victim has access to the internet banking login page with an insecure connection with the attacker. From this point onwards, all the victim’s requests go out in the Plain text format and the attacker can sniff the data and collect the credentials.
The Server thinks it has successfully established the connection, which in this scenario is between the attacker and the server (i.e., between B & C), while the victim (A) also thinks that it is a legitimate Server (C).
So
SSLStrip doesn't depend on the server's behavior, it depends on the client. If you can get the client to make the request over HTTP, instead of HTTPS, you can perform the attack, even if the server only supports HTTPS. HSTS prevents the browser from performing the plain HTTP request in the first place (on subsequent requests).
Conclusion:
Google is using only HTTPS and using HSTS header against SSLStrip attacks. Because SSLStrip attacks can occur even if web server is using only HTTPS.
Resource: https://avicoder.me/2016/02/22/SSLstrip-for-newbies/