The ABC of Cybersecurity: M is for Man-in-the-Middle (MiTM)

When you request a page, the information travels from the server to your computer via a super-highway of cables, routers and computer switches that stretch the Internet across the world. Like highway robbers of old, modern attackers knows you are vulnerable at every “junction.” These spots are where your data can be intercepted, read and even altered.

A man-in-the-middle attack is a procedure that allows an attacker to interpose between you and the computer you are communicating with to read the conversation or alter it. The procedure was extremely common before the massive switch to HTTP-Secure, and it is still common nowadays, although a little more complicated to carry out.

After targeting PCs for years, the omnipresent man-in-the-middle attacks have moved on to mobiles. On account of failing to assess the impact of these attacks, consumers connect their phones to public networks to stay connected, especially when on vacation.

The biggest threat arises from the slow detection rate. Users can”t always figure out if the network they are on is legitimate or if some is listening to the traffic, whether at the airport, hotel or coffee place down the street. Our internet addiction has also driven us to use the same device for both business and pleasure, automatically exposing ourselves to risks. End-users are the biggest threat to enterprises; once connected to an unreliable network corporate data, credentials or email could be leaked.

How MiTM attacks work

When two parties start a conversation, they typically establish a connection and exchange what are called public keys – keys used to encrypt conversations before they get sent across the wires. Let”s imagine Alice and Bob chatting on the web. When Alice reaches out to Bob, she sends her public key. Bob will encrypt all the messages for Alice with her public key. Bob in turn would also send Alice his public key. When Alice gets the encrypted message from Bob, she decrypts it with her private key and reads it.

Now imagine a third person between Alice and Bob. His name is Peter. Peter intercepts Alice”s public key as it travels to Bob and substitutes it with his own public key. He also intercepts Bob”s public key and substitutes it with his own as it travels to Alice. Now both Alice and Bob encrypt information with Peter”s public key and Peter can decrypt them with his own private key. After decryption, he reads the message, maybe alters it, then encrypts it with Alice”s public key intercepted in the first step and forwards the message to Alice. He proxies all communication to and from Bob or Alice and neither of them knows he”s listening.

Rogue or unprotected Wi-Fi networks are not the only entry point a hacker can use to launch a man-in-the-middle attack. Each time you go online and use a proxy service to anonymize your IP address or circumvent the restrictions at your workplace, remember that the proxy server normally acts as a man in the middle.

Your page visits and online activity like file transfers, financial transactions or emails can be captured by criminals through a hostile proxy server. You are exposing all your information to third parties.

VPN servers should safeguard your infrastructure by keeping your connection encrypted. Compromised or rogue VPN servers also could allow third parties to steal your data but, even worse, they can reroute your traffic and use your internet connection for illegal schemes. In the absence of a secure connection, by the time you figure out you”ve installed a malicious program or website it could be too late.

How to identify them

If you”re not tech-savvy, there”s not much you can do about this. Man-in-the-middle attacks are very difficult to detect, so prevention is better than cure.

If you”re on vacation and your phone automatically connects to a network, you could fall victim to a MitM attack. If asked to install a VPN app or accept a digital certificate, you”re on your way to a man-in-the-middle attack. The easiest way to identify man-in-the-middle attacks is to check whether the SSL certificate is issued for the entity you are expecting to visit. Ideally, it should have been issued by a legitimate, trustworthy certificate authority. If your browser objects to the validity or legitimacy of a certificate, close the page immediately and ask for help before entering any credentials. You can check the SSL certificate by looking in the upper left corner of your browser to make sure it says “https” in green; this means your connection is encrypted and your data hidden.

Not all men-in-the-middle are bad

Now that we gave you the shivers, let”s look at the bright side of man-in-the-middle. Such techniques can be used for your own safety.

Because more and more malicious websites and malware are switching to secure communication (https) to exfiltrate data and make sure your antivirus solution can”t intercept rogue traffic, some security solutions use SSL proxies – modules that decrypt the SSL / TLS traffic, inspect it for badware then re-encrypt and forward it to the destination. Some parental control solutions also take this road to make sure your child”s encrypted conversations don”t contain something for you to worry about.

How to protect yourself

Because there”s no way of properly detecting these attacks, it”s better to play safe from the very beginning. Make sure the connections are https and not http, double check that the SSL certificate is not expired and is issued by a reliable provider, and avoid free VPNs and proxies. Also, regularly change passwords and don”t reuse them, don”t connect to suspicious public networks, be distrustful even when it comes to hotel Wi-Fi, and never install or download anything. If you really can”t help it and you must connect to a network, avoid making payments and logging in to social media accounts or email.