LLMpediaThe first transparent, open encyclopedia generated by LLMs

Man-in-the-middle attack

Generated by DeepSeek V3.2
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Hypertext Transfer Protocol Hop 4
Expansion Funnel Raw 77 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted77
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Man-in-the-middle attack
NameMan-in-the-middle attack
ClassificationNetwork security attack
FieldComputer security, Cryptography

Man-in-the-middle attack. In cryptography and computer security, a man-in-the-middle attack is a form of eavesdropping where an attacker secretly intercepts and potentially alters the communication between two parties who believe they are directly communicating with each other. This fundamental breach of information security undermines the confidentiality and integrity of data, posing severe risks to systems ranging from online banking to secure messaging applications. The attack exploits vulnerabilities in the communication protocol or the authentication mechanisms between entities like a web browser and a web server.

Definition and concept

The core concept involves an adversary, the "man in the middle," positioning themselves between two legitimate communicators, such as a user and their banking website. This interception is often transparent to the original parties, who continue to believe their encrypted session is secure. The attacker may simply relay messages unchanged to conduct surveillance or actively manipulate the data exchange, a variant sometimes called a man-in-the-browser attack. This attack model is a direct threat to the authentication processes defined in many security protocols, including those used by the Transport Layer Security standard. Historically, such interception tactics have analogs in physical espionage, but they are now a central concern in digital forensics and cyber warfare doctrines studied by agencies like the National Security Agency.

Common attack techniques

A prevalent technique is ARP spoofing, which corrupts the Address Resolution Protocol tables on a local area network to associate the attacker's MAC address with the IP address of a legitimate host, such as the default gateway. Similarly, DNS spoofing compromises Domain Name System servers to redirect traffic intended for a legitimate site like Google to an attacker-controlled server. Attackers also set up rogue Wi-Fi access points in public spaces, often named to mimic legitimate networks from providers like Starbucks or AT&T, to capture unencrypted traffic. More sophisticated methods involve exploiting weaknesses in the public key infrastructure, such as using a forged certificate authority certificate to impersonate a site operated by PayPal or Microsoft, thereby bypassing browser warnings.

Real-world examples and case studies

One of the most famous cases involved the Dutch certificate authority DigiNotar, which was breached in 2011, leading to the fraudulent issuance of certificates for domains including Google.com and used in attacks targeting users in Iran. In 2017, Equifax faced severe criticism after it was revealed that its mobile application did not properly validate SSL certificates, making it vulnerable to such interception. State-sponsored actors have frequently employed these tactics; for instance, the Great Firewall of China has been documented conducting MITM attacks on traffic to platforms like GitHub and Google. The Equation Group, widely associated with the National Security Agency, used advanced malware like Regin to insert itself into network communications for intelligence gathering.

Prevention and countermeasures

The primary technical defense is the robust use of strong, mutually authenticated encryption protocols. Implementing HTTP Strict Transport Security forces browsers like Google Chrome and Mozilla Firefox to interact with websites only over secure HTTPS connections. Public key pinning, though now deprecated, was an early method for sites like Twitter to specify which certificate authority certificates should be trusted. On local networks, protocols like Dynamic ARP Inspection on Cisco Systems switches can prevent ARP spoofing. For end-users, vigilance against unverified public Wi-Fi networks and the use of a reputable virtual private network provider such as NordVPN or ExpressVPN can encrypt all traffic, rendering interception useless. Organizations also deploy intrusion detection system software like Snort to monitor for signature-based attack patterns.

Conducting a man-in-the-middle attack without explicit authorization is illegal under statutes like the Computer Fraud and Abuse Act in the United States and the Computer Misuse Act 1990 in the United Kingdom. However, security researchers operating under sanctioned penetration testing engagements for clients like IBM or the Department of Defense may use these techniques to identify vulnerabilities. Ethical debates arise around the use of such interception by government entities; the Federal Bureau of Investigation has advocated for "lawful access" to encrypted communications, a position opposed by organizations like the Electronic Frontier Foundation and Apple Inc., citing risks to overall Internet security. The European Union's General Data Protection Regulation imposes strict requirements on data integrity, making companies liable for failing to prevent such breaches. Category:Computer security Category:Cryptography Category:Cyberattacks