TL;DR
A man-in-the-middle (MITM) attack intercepts communications between two parties. The attacker can eavesdrop, steal data, or modify messages. HTTPS is the primary defense: encryption prevents reading intercepted traffic, and certificate validation proves you are talking to the real server. Always use HTTPS and be cautious on public WiFi.
The Simple Explanation
Imagine passing notes in class, but someone in between reads and rewrites them before passing them on. Neither sender nor receiver knows their messages are being intercepted. On networks, attackers position themselves between your device and the server, seeing everything you send and receive.
How MITM Attacks Work
Normal communication: Your Device <-----> Server
MITM attack: Your Device <-> Attacker <-> Server
The attacker intercepts traffic in both directions. Without encryption, they see everything: passwords, messages, data.
Attack Techniques
| Technique | How It Works | Location |
|---|---|---|
| ARP spoofing | Pretends to be the router | Local network |
| Rogue WiFi | Fake access point | Public places |
| DNS hijacking | Redirects domain lookups | Network/ISP |
| SSL stripping | Downgrades HTTPS to HTTP | Between client/server |
How HTTPS Protects You
- Encryption: Traffic is unreadable to interceptors
- Certificate validation: Proves server identity
- Integrity: Detects any message modification
- HSTS: Forces HTTPS, prevents downgrade attacks
Certificate warnings matter. When your browser warns about an invalid certificate, it might be detecting a MITM attack. Do not click through these warnings, especially on sensitive sites.
Defense Strategies
- HTTPS everywhere: Never send sensitive data over HTTP
- HSTS: Enforce HTTPS at the browser level
- Certificate pinning: Only accept specific certificates
- VPN: Encrypt all traffic on untrusted networks
- Verify certificates: Do not ignore warnings
How does HTTPS prevent man-in-the-middle attacks?
HTTPS encrypts the connection between browser and server, so intercepted traffic is unreadable. Certificate validation ensures you are talking to the real server, not an imposter. An attacker in the middle sees only encrypted data they cannot decrypt or modify without detection.
Are MITM attacks still possible with HTTPS?
Rarely, if the attacker can compromise certificate authorities, install rogue certificates on devices, or exploit implementation flaws. Corporate proxies often use MITM for monitoring by installing their own root certificates. Always verify you see the correct certificate for sensitive sites.
Where do MITM attacks commonly happen?
Public WiFi networks are common attack locations since attackers can easily intercept traffic. Compromised routers, ARP spoofing on local networks, and DNS hijacking are other vectors. Using a VPN on untrusted networks provides additional protection.