SSL stripping is an on-path attack that downgrades HTTPS to HTTP, allowing attackers to intercept unencrypted traffic when HSTS protections are absent.