Man-in-the-Middle Attack (MITM)
A man-in-the-middle attack is when someone secretly inserts themselves between you and whoever you are communicating with. They read everything going in both directions, and can change it before passing it along. Neither side knows anyone else is involved. It is the digital equivalent of someone opening your mail, reading it, resealing the envelope, and delivering it. Everything looks normal; the interception is invisible.
A man-in-the-middle (MITM) attack occurs when an adversary secretly positions themselves in the communication path between two parties, relaying (and optionally modifying) traffic while each party believes they have a direct, private connection.
Common MITM techniques:
ARP poisoning (LAN): The attacker sends unsolicited ARP replies that associate their MAC address with a legitimate IP address. Devices update their ARP cache and begin routing traffic through the attacker’s machine. Effective on any switched Ethernet network; no privileges required beyond local network access.
DNS spoofing: The attacker returns fraudulent DNS responses, redirecting domain lookups (e.g., bank.com) to attacker-controlled servers. Can be executed via ARP poisoning of the local DNS resolver or by compromising an upstream DNS server.
SSL stripping: The attacker intercepts an HTTP connection before it upgrades to HTTPS, maintaining an HTTP connection to the victim and a legitimate HTTPS connection to the server. The victim transmits credentials in cleartext without realizing the upgrade never occurred. Mitigated by HSTS.
Rogue access point (evil twin): The attacker creates a Wi-Fi access point with the same SSID as a legitimate network. Devices connect automatically; all traffic flows through the attacker.
BGP hijacking: At internet scale, an adversary announces fraudulent routing table entries that redirect traffic for a legitimate IP range through attacker-controlled infrastructure. Used by nation-state actors.
Defenses:
| Defense | Attack mitigated |
|---|---|
| TLS/HTTPS with valid certificates | Passive eavesdropping, basic impersonation |
| HSTS (HTTP Strict Transport Security) | SSL stripping |
| Certificate pinning | Fraudulent certificates from rogue CAs |
| DNSSEC | DNS spoofing |
| VPN | Rogue AP, ISP-level interception |
| 802.1X (port authentication) | Rogue devices on wired LAN |
| Dynamic ARP Inspection (DAI) | ARP poisoning on managed switches |
A MITM on a TLS connection requires either a fraudulent certificate issued by a CA in the client’s trust store, or a user who accepted a certificate warning. Neither should happen in a properly configured environment.
Detecting ARP poisoning and checking HSTS
# View current ARP cache (look for duplicate MACs on different IPs)
arp -a
# Linux: show neighbor table
ip neighbour show
# Flag: same MAC for two different IPs = likely ARP poisoning
# 192.168.1.1 at aa:bb:cc:dd:ee:ff (router)
# 192.168.1.50 at aa:bb:cc:dd:ee:ff (attacker using router's MAC)
# Check if HSTS is configured on a domain
curl -sI https://example.com | grep -i strict-transport
# strict-transport-security: max-age=31536000; includeSubDomains; preload
# Verify SSL certificate details for a host
openssl s_client -connect example.com:443 -servername example.com \
</dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
# Check certificate transparency logs for unexpected certificates
# (unauthorized issuance shows up here before it can be used at scale)
curl -s "https://crt.sh/?q=yourdomain.com&output=json" | \
python3 -m json.tool | grep common_nameMITM attacks are most common on networks the attacker physically controls: coffee shop Wi-Fi, hotel networks, and corporate networks where an insider threat has local access. The spread of HTTPS everywhere has significantly reduced the value of passive interception, but active MITMs remain viable when certificate validation is bypassed. The most common corporate scenario today involves ARP poisoning on an internal network combined with SSL stripping against services that do not enforce HSTS. On the defender side, Dynamic ARP Inspection on managed switches, 802.1X for port-based authentication, and enforcing HSTS across all internal services eliminates most LAN-based MITM opportunities. Download verification with checksums and GPG signatures specifically defends against a MITM substituting a malicious file during download: the signature will not match even if both the file and checksum are swapped, because the attacker cannot forge the publisher’s private key.