A man-in-the-middle attack is difficult to identify and defend against. MITM attacks generally don’t depend on infecting computers on either end of the system. Instead, they depend on controlling the communications equipment between two systems. For example, a malicious router offering free Wi-Fi in a public location may perform a man-in-the-middle attack.
An Offline Man-in-the-Middle Attack
Man-in-the-middle attacks were around before computers. This type of attack involves an attacker inserting themselves in between two parties communicating with each other. Man-in-the-middle attacks are essentially eavesdropping attacks.
For example, let’s say you’re communicating with someone over physical mail — you’re writing letters to each other. If you had a crazy mailman, they could intercept each letter you mail, open it, read it, and then repackage the letter and send it to your original recipient. The original recipient would then mail you a letter back, and the mailman would open the letter, read it, repackage it, and give it to you. You wouldn’t know there’s a man in the middle of your communications channel — properly performed, this sort of attack is invisible to the participants.
This sort of eavesdropping — taking over a communications channel between two participants and eavesdropping on traffic — is the core of a man-in-the-middle attack. It could be worse than simply reading personal correspondence. If you were sending letters back and forth with business plans, the attacker could intercept that data without you knowing.
The attacker could also modify the messages in transit. Let’s say you send a letter to someone. The man-in-the-middle could add a note to that letter, asking for some sort of favor — maybe they ask the person on the other end to include some cash because you really need money. Sure, the writing might not look identical, but the man-in-the-middle could rewrite your letter word-for-word, add their custom message, and mail the letter to the recipient. As long as the man-in-the-middle was doing this the entire time, the recipient wouldn’t notice that it wasn’t your handwriting. The recipient might write a letter back and mention they included some money, and the man-in-the-middle could keep the money, rewrite their letter — omitting the reference to the money — and send the letter to you. This takes a bit of work in an offline world, but it’s much easier to do this sort of thing online where it can be automated by software.
Online Man-in-the-Middle Attacks
Online man-in-the-middle attacks work in the same way. For example, let’s say you connect to a malicious wireless router — perhaps a router offering free Wi-Fi in a public location. You then attempt to connect to your bank’s website. In the most obvious attack scenario, you’d see a certificate error informing you that the bank’s website doesn’t have the appropriate encryption certificate. This would alert you to a man-in-the-middle attack, but quite a few people might click through this error message. You sign into your bank and perform transactions like you normally would. Everything seems to be fine.
In reality, an attacker could have set up a fake server that appears to be your bank. When you connect to it, it fetches the bank’s web page, modifies it a bit, and presents it to you. You sign in with your account details and those details are sent to the man-in-the-middle server. The server then logs in for you, grabs your account details page, and sends you a copy. Everything may look normal, but really there’s a server sitting in the middle, forwarding data back and forth and eavesdropping on the sensitive information. The certificate problem was the only warning — the man-in-the-middle server wouldn’t have the appropriate security certificate your real bank’s website would.
With typical unencrypted HTTP websites — not encrypted HTTPS websites — you’d have no warning of a man-in-the-middle attack. This is why sensitive web pages like account login pages, online banking systems, shopping sites, and email services are usually offered over HTTPS.
The above attack doesn’t depend on you clicking through a certificate warning. The SSLStrip attack tool can remove HTTPS encryption from a site, so you’d visit your bank’s website, be redirected to an unencrypted HTTP version, and be compromised if you attempted to log in. The only indication there was a problem would be that your bank’s site was being offered over HTTP instead of HTTPS — something very easy to miss.
Other man-in-the-middle attacks could depend on software infecting your computer — for example, malware could hide in the background on your computer, inserting itself between your web browser and the servers it contacts to perform a man-in-the-middle attack on your browser. Such malware should be detectable by good antivirus software, of course.
Defending Against MITM Attacks
MITM attacks are tough to defend against on your end. They generally indicate that a communication channel itself — such as a Wi-Fi router — is compromised. Noticing man-in-the-middle attacks is possible, but the remote server will have to be using HTTPS encryption and you may need a sharp eye. Here are a few tips:
- Don’t Ignore Certificate Warnings: A security certificate warning indicates there’s a serious problem. The certificate doesn’t match the server you’re seeing, so this could mean you’re communicating with a phishing server or an imposter server performing a MITM attack. It could also indicate a misconfigured server, which is why many people have been trained to ignore it. Don’t just click through warning pages like this, especially when accessing sensitive sites like your email or online banking.
- Check for HTTPS: When connecting to a sensitive site where you enter an important password or credit card details, be sure the site is using HTTPS encryption. Quickly glance at your address bar and ensure encryption is in-place before logging in, especially on public Wi-Fi networks. The EFF’s HTTPS Everywhere plug-in will help a bit here, forcing your browser to use HTTPS where sites support it.
- Exercise Caution With Public Wi-Fi Networks: Be especially careful when connecting to public Wi-Fi networks you don’t trust. Avoid doing online-banking and other especially sensitive things on such networks. Be especially suspicious if you see certificate error messages and sensitive sites without HTTPS encryption on public Wi-Fi networks.
- Run Antivirus Software: Antivirus software and other basic Internet security practices will help protect you against man-in-the-middle attacks that require malware running on your computer.
Man-in-the-middle attacks depend on compromising a communications channel. The communication channel will generally be out of your control, so you’ll want to use a different communications channel if you encounter a potential MITM attack. This may mean disconnecting from a suspicious public Wi-Fi network and using a more secure Internet connection.