Man-in-the-Middle Attacks Explained
How MITM attacks intercept network traffic and what defenses protect your communications.
What Is a Man-in-the-Middle Attack?
A man-in-the-middle (MITM) attack occurs when an attacker secretly intercepts and potentially alters communications between two parties who believe they are communicating directly. The attacker positions themselves between the victim and the legitimate server.
MITM attacks can capture credentials, session tokens, personal data, and even inject malicious content into otherwise legitimate traffic.
Common MITM Techniques
ARP Spoofing — The attacker sends fake ARP responses on a local network, associating their MAC address with the gateway's IP. All traffic intended for the gateway flows through the attacker first.
DNS Spoofing — Corrupted DNS responses redirect victims to attacker-controlled servers that mimic legitimate websites.
SSL Stripping — The attacker downgrades HTTPS connections to HTTP, intercepting unencrypted traffic. The victim sees HTTP while believing the connection is secure.
Rogue Wi-Fi Access Points — Attackers set up Wi-Fi hotspots with legitimate-sounding names (e.g., "Airport_WiFi_Free") to capture traffic from unsuspecting users.
Defenses Against MITM
- TLS/HTTPS everywhere — Encrypt all communications. HSTS headers prevent SSL stripping
- Certificate pinning — Applications verify the exact certificate, not just the chain of trust
- VPN — Encrypts all traffic, preventing local network interception
- DNSSEC — Cryptographically validates DNS responses
- 802.1X authentication — Prevents unauthorized devices from joining the network
Detection
Monitor for ARP anomalies, unexpected certificate changes, and DNS resolution discrepancies. Tools like arpwatch detect ARP spoofing, while browser security warnings flag certificate mismatches.