Rob Behnke
May 24th, 2022
Man-in-the-middle (or MitM) attacks can occur when an attacker has the ability to intercept communications over the network. This allows the attacker to read — and potentially modify — these communications.
Computers on the Internet are not directly connected to one another. All network traffic, including web browsing, email, and use of mobile applications, travels through multiple different routers and devices en route from its source to its destination. These devices are typically not under the control of the sender or the recipient of the message and are operated by Internet Service Providers (ISPs), organizations, and potentially individuals.
This creates the potential that one of the hops that network traffic flows through is under the control of an attacker. If this is the case, then the attacker has the ability to inspect the network packets that they are transmitting.
This malicious device could choose to drop packets between two parties, cutting off their communications. In the event that the data being sent is unencrypted, the attacker may be able to read and potentially modify the traffic so that the data seen by the recipient is different from that transmitted by the sender.
One example of a common MitM attack risk is the use of untrusted Wi-Fi networks. If an attacker sets up a wireless network and a computer connects to it, then all of that computer’s network traffic flows through the attacker-controlled wireless router. The attacker could then inspect, drop, and potentially modify that traffic, depending on whether it is encrypted and protected against modification.
MitM attacks rely on an attacker’s ability to intercept, read, and modify network traffic. While a user has limited control over how their traffic flows over the Internet, they can take steps to make MitM attacks more difficult to perform. For example, the use of a virtual private network (VPN) when connected to public Wi-Fi networks helps to protect against traffic interception by a malicious wireless access point.
Even if an attacker has access to a user’s network traffic, their ability to read and modify the traffic depends on how it is protected. If network traffic is encrypted and authenticated using Transport Level Security (TLS) — which is the difference between the HTTP and HTTPS protocols — then the attacker should not be able to read the data contained within the network traffic or modify it without detection.
In a TLS connection, a web server sends a digital signature that proves that it is the legitimate owner of the URL that a user is visiting. This digital certificate also includes encryption keys that can be used to secure the connection between the client and server. These keys and built-in message integrity checks in the protocol protect against MitM attacks.
TLS is designed to help maintain the confidentiality and integrity of network traffic. However, the system has some weaknesses that can make it vulnerable to attack.
One of the biggest limitations of TLS is that it only proves that a user is connected to a legitimate web server for the URL that they are visiting. If the client is tricked into visiting a malicious URL via a phishing attack, then all TLS does is protect the user’s connection to the attacker’s server.
The other big assumption of TLS is that the digital certificate provided by the web server is legitimate and trustworthy. The authenticity of digital certificates is demonstrated by a chain of digital certificates stretching back to a trusted root certificate authority (CA). Each certificate is digitally signed by the previous one in the chain, so a certificate is considered trusted if all of the digital signatures are valid and the root CA is trusted.
If this chain of trust is broken, then a MitM attack is possible. For example, a common MitM attack is performed by businesses attempting to gain visibility into network traffic to identify malicious content or data exfiltration in network traffic. These organizations force employee computers to trust a root CA controlled by the company for all websites.
This allows a proxy to make an encrypted, authenticated connection with the user and another with the desired remote web server. In the middle, data is encrypted and can be inspected — and potentially modified — by the web server.
A MitM attack is mainly a threat when cybersecurity best practices aren’t followed. The use of TLS whenever possible and a VPN when connected to untrusted public networks dramatically reduces the risk of MitM attacks.