Skip to main content

Man-in-the-Middle (MITM) Attacks Explained

About 2 min read

A man-in-the-middle attack (MITM) is an attack technique in which an attacker inserts themselves between two parties who are communicating, eavesdropping on and tampering with the contents of their communication. Because the attacker impersonates a legitimate communication partner to both sides, the victims find it difficult to notice that they are under attack. It is abused to steal passwords and session information, and communication that is not encrypted is especially dangerous.

Real-World Use Cases

"An employee checked email on a hotel Wi-Fi while on a business trip without connecting to the corporate VPN, and a session cookie was stolen via a man-in-the-middle attack. The attacker accessed the company groupware with that session, so we invalidated the session in question and forced a password reset."

The Flow of a Man-in-the-Middle Attack

User
Attacker (eavesdrop / tamper)
Legitimate server

Attack Methods

Representative methods include ARP spoofing on public Wi-Fi, DNS spoofing, and setting up fake Wi-Fi access points. On communication that does not use HTTPS, there is a risk that login information is intercepted in plaintext. In an SSL stripping attack, an HTTPS connection is downgraded to HTTP in order to intercept the communication.network attack defense books on Amazon provide a detailed explanation.

Concrete Damage Scenarios

A common misconception is that "a man-in-the-middle attack is impossible on an HTTPS site." In reality, "SSL inspection," in which a corporate proxy server decrypts and examines SSL/TLS communication, is a legitimate form of man-in-the-middle attack. Also, when you connect to free Wi-Fi at a café, if an attacker has set up a fake access point with the same name, you connect to the fake Wi-Fi without noticing, and all of your communication is intercepted. In cases where online banking login information was intercepted, there have been reports of fraudulent transfers being executed within minutes.

Defensive Measures

The basic measures are to always verify the HTTPS connection and to use a VPN on public Wi-Fi. In addition to a strong random password, if you set up two-factor authentication, you can prevent unauthorized logins even if your password is intercepted. It is also important not to ignore the browser's certificate warnings.VPN and privacy books (Amazon) are also a helpful reference.

Related Terms

Was this article helpful?

XHatena