← Lessons

quiz vs the machine

Gold1440

Security

Protocol Downgrade Attacks

Forcing a connection onto a weaker protocol to defeat its protections.

4 min read · core · beat Gold to climb

Negotiating Down

A downgrade attack manipulates negotiation so two parties settle on a weaker protocol or cipher than both support. An on path attacker strips or tampers with capability advertisements so the connection falls back to something exploitable.

Common Forms

  • Stripping HTTPS to plain HTTP when a user types a bare domain.
  • Forcing an older TLS version or a weak cipher suite during the handshake.
  • Removing modern features so a legacy, vulnerable path is taken.

Defenses

  • Send HSTS so browsers refuse plain HTTP for known sites.
  • Disable obsolete protocol versions and weak ciphers entirely.
  • Use handshake integrity checks that detect tampering with negotiated parameters.

Key idea

Downgrade attacks force a weaker negotiated protocol, so disable obsolete versions, enforce HSTS, and validate handshake integrity.

Check yourself

Answer to earn rating on the learn ladder.

1. What does a downgrade attack force?

2. Which header helps prevent an HTTPS to HTTP downgrade?