In this guide, we will learn: What is MitM? – guide 2023
For your device to communicate with any other device it needs to connect to it. If the other device is physically present, this is pretty simple. You can just run a cable between the two devices. It is necessary for them to share some sort of communication standard but the basic principle stands. Of course, most of the devices you might want to communicate with are not physically present. Instead, you need to connect to them over a computer network typically with the Internet involved.
The problem with this is that now there are potentially many messengers that need to pass your communications back and forth. To communicate properly through intermediary parties, you need to be able to trust them. Alternatively, you need to be able to ensure that they can’t read or modify your communications. This is the basis of encryption. It allows you to communicate securely over an insecure channel.
The thing is, even with encryption in play there are still some bad actors out there trying to gain access to sensitive information. One way they can try to do that is to perform a Man-in-the-Middle attack or MitM.
The setup
For MitM to work, the attacker needs to be one of the parties transmitting the data they want to access. There are a few ways to achieve this. The first is relatively simple, run an Internet access point, this is exactly why you should be wary of random free Wi-Fi hotspots. This is easy to do, the problem is that it may not be easy to get a specific person to connect to a specific network.
The alternative options are to configure the victim’s device to use your device as a proxy server or to be an ISP to the victim. Realistically, if an attacker can set their device to be used as a proxy they probably have more than enough access to your computer to get the information they want. Theoretically, anyone’s ISP could also target them as their traffic runs through their ISP. A VPN/proxy provider is in exactly the same position as the ISP and may or may not be as trustworthy.
Note: If you’re thinking about getting a VPN to protect against your ISP it’s important to understand that the VPN provider then becomes your effective ISP. As such all of the same security concerns should apply to them too.
Passive MitM
While many devices may be in a MitM position, most of them won’t be malicious. Still, encryption protects from those that are and helps to improve your privacy. An attacker in a MitM position may simply use their position to “listen” to the traffic flow. In this way they can track some vague details of encrypted traffic and can read unencrypted traffic.
In this sort of scenario, an attacker in a MitM position can always read or modify unencrypted traffic. It is only encryption that prevents this.
Active MitM
An attacker that has gone to the trouble of getting themselves to that position may not necessarily be happy at only reading/modifying unencrypted data. As such, they may try to perform an active attack instead.
In this scenario, they fully insert themselves in the middle of the connection acting as an active middleman. They negotiate a “secure” connection with the server and attempt to do the same with the end user. This is where things typically fall apart. As much as they can absolutely do all this, the encryption ecosystem has been designed to handle this scenario.
Each HTTPS website serves an HTTPS certificate. The certificate is signed by a chain of other certificates leading back to one of a few special “root certificates”. Root certificates are special because they are stored in the trusted certificate store of every device. Every device can therefore check to see if the HTTPS certificate it was presented with has been signed by one of the root certificates in its own trusted certificate store.
If the process of certificate verification does not complete properly, then the browser will throw a certificate error warning page explaining the basics of the issue. The certificate issuing system is set up in such a way that you need to be able to prove that you’re the legitimate owner of a site to persuade any Certificate Authority to sign your certificate with their root certificate. As such, an attacker can generally only use invalid certificates, causing the victims to see certificate error messages.
Note: The attacker could also convince the victim to install the attacker’s root certificate in the trusted certificate store, at which point, all the protections are broken.
If the victim chooses to “accept the risk” and ignore the certificate warning then the attacker can read and modify the “encrypted” connection because the connection is only encrypted to and from the attacker, not all the way to the server.
A less digital example
If you’re having difficulty wrapping your head around the concept of a Man-in-the-Middle attack it may be easier to work with the concept of physical “snail” mail. The post office and system are like the Internet but for sending letters. You assume that any letter you send goes through the entire postal system without being opened, read, or modified.
The person that delivers your post, however, is in a perfect Man-in-the-Middle position. They could choose to open any letter before they deliver it. They could then read and modify the contents of the letter at will and seal it up again in another envelope. In this scenario, you’re actually never really communicating with the person you think you are. Instead, both of you are communicating with the nosy post person.
A third party that can verify (cryptographically secure) signatures can at least tell you that someone is opening your mail. You can choose to ignore this warning, but you’d be well advised not to send anything secret.
There is very little you can do about the situation other than changing the system over which you communicate. If you start communicating via email, the post person can’t read or modify your messages anymore. Likewise, connecting to a different, and ideally trusted, network is the only way to deny the attacker access while still being able to communicate.
Conclusion
MitM stands for Man-in-the-Middle. It represents a situation where a messenger in the chain of communication is maliciously monitoring and potentially editing communications. Typically, the most risk is from the first hop, i.e. the router you connect to. A free Wi-Fi hotspot is the perfect example of this. An attacker in a MitM position can read and edit unencrypted communications. They can also try the same with encrypted communications but this should result in certificate validation error messages. These certificate validation warning messages are the only thing preventing an attacker from being able to ready and modify encrypted traffic too. This works because both parties communicate with the attacker rather than actually with each other. The attacker poses as the other party to both parties.