Questions tagged [man-in-the-middle]

A man-in-the-middle attack (MiTM) is an attack against a communication protocol where the attacker relays and modifies messages in transit. The parties believe they are talking to each other directly, but in fact both are talking to each other via the attacker in the middle.

A man-in-the-middle attack is an active attack against a communication protocol where the attacker relays and modifies messages in transit. The parties believe they are talking to each other directly, but in fact both are talking to each other via the attacker in the middle.

Protection against man-in-the-middle attacks depends on two things: establishing a secure channel, and making sure that the secure channel is established with the intended party: at least one of the parties must authenticate the other one. There are two major ways to set up a secure channel with the right party using cryptography:

sharing secret keys or public keys in a secure environment before communication takes place (e.g. provisioning keys on a device during manufacturing, or exchanging PGP keys when meeting in person);
relying on a trusted third party, with a public-key infrastructure pki.

SSL/TLS is the de facto standard way to establish a secure channel over the Internet, in HTTPS and other protocols. Authentication is achieved by either storing the server's certificate certificates on the client or by having the server's certificate delivered by a certificate-authority.

How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it?

I've often heard it said that if you're logging in to a website - a bank, GMail, whatever - via HTTPS, that the information you transmit is safe from snooping by 3rd parties. I've always been a little confused as to how this could be possible.…

encryption tls cryptography man-in-the-middle key-exchange

asked Aug 15 '11 at 18:58

Joshua Carmody

4,465
4
15
11

176

votes

4 answers

Is there anything preventing the NSA from becoming a root CA?

There are now tons of Certification Authorities (CAs) that are trusted by default in major OS's, many of which are unrecognizable without online lookup or reference. While there have been attempts by the NSA and others to "hack" or otherwise…

certificate-authority man-in-the-middle nsa

asked Oct 20 '14 at 16:20

user2813274

2,051
2
13
18

138

votes

8 answers

Are "man in the middle" attacks extremely rare?

In "Some thoughts on the iPhone contact list controversy and app security", cdixon blog Chris Dixon makes a statement about web security Many commentators have suggested that a primary security risk is the fact that the data is transmitted in plain…

network attacks man-in-the-middle statistics

asked Feb 22 '12 at 19:36

Jeff Atwood

4,542
6
25
29

101

votes

5 answers

How can my employer be a man-in-the-middle when I connect to Gmail?

I'm trying to understand SSL/TLS. What follows are a description of a scenario and a few assumptions which I hope you can confirm or refute. Question How can my employer be a man-in-the-middle when I connect to Gmail? Can he at all? That is: is it…

encryption tls authentication man-in-the-middle

asked Jul 17 '14 at 08:52

Lernkurve

1,134
3
9
10

100

votes

4 answers

How does SSLstrip work?

I've been reading up on SSLstrip and I'm not 100% sure on my understanding of how it works. A lot of documentation seems to indicate that it simply replaces occurrences of "https" with "http" in traffic that it has access to. So a URL passing…

tls man-in-the-middle sslstrip

asked Sep 07 '13 at 19:49

Scott Helme

3,178
3
21
32

votes

7 answers

Why is SMS used as a way of verifying a user's mobile, when it is not even encrypted in transit?

I did some research about how secure and private SMS messages are. Providers and governments can see these SMS messages in plaintext, but what is weird is that these messages are not encrypted in transit. According to my knowledge, that makes the…

encryption man-in-the-middle account-security multi-factor sms

asked Jul 06 '21 at 10:59

Mohamed Waleed

1,169
1
5
13

votes

1 answer

How can Kazakhstan perform MITM attacks on all HTTPS traffic?

There is now MITM on HTTPS traffic in Kazakhstan. But for MITM to work, other than installing the certificate, there has to be someone proxying the request, right? Will that role be played by the ISPs? Say I want to connect to Facebook. Does the…

tls certificates man-in-the-middle certificate-authority

asked Jul 22 '19 at 11:37

microwth

2,101
2
14
19

votes

3 answers

Why is Firefox (and only Firefox) reporting that my connection is insecure on multiple sites?

After installing Firefox 54.0.1 on my work laptop, the first page I see warns me that "Your connection is not secure" when opening https://www.mozilla.org/. "The owner of Firefox has configured their website improperly" After browsing a bit more, I…

tls certificates man-in-the-middle firefox

asked Jul 20 '17 at 15:04

Stevoisiak

1,515
1
11
27

votes

3 answers

Why aren't IMSI catchers rendered ineffective by standard MITM defenses?

There's been a lot of reporting in the past few years about law enforcement agencies using IMSI catchers (also known as Stingrays after a popular brand of them) to intercept cellular communications. If I understand correctly, what IMSI catchers do…

public-key-infrastructure man-in-the-middle mobile

asked Mar 15 '16 at 03:46

HighCommander4

1,182
1
10
11

votes

10 answers

Is there such a thing as a "Black Box" that decrypts Internet traffic?

I have been reading about the Snoopers charter bill that was passed in the UK this week. It mentions a "Black Box" which is cited here: ‘Black boxes’ to monitor all internet and phone data. It states it works like so: When an individual uses a…

encryption man-in-the-middle decryption black-box

asked Nov 23 '16 at 13:48

User1

3,041
5
23
30

votes

4 answers

Is there a way to make sure my government does not swap out SSL certificates?

I was recently wondering whether there exists a way to make sure my government is not swapping out SSL certificates in order to intercept the traffic. I know almost all browsers are complaining in case of a self-signed certificate. But what prevents…

tls certificates man-in-the-middle certificate-authority government

asked Jan 03 '19 at 09:04

roman

votes

3 answers

Is it common practice for companies to MITM HTTPS traffic?

My company has just introduced a new VPN policy whereby once connected all traffic is routed the company network. This is to allow for improved monitoring of data theft. It would appear that this policy also performs a man in the middle attack on…

tls network http man-in-the-middle corporate-policy

asked Dec 08 '15 at 10:20

Andy Smith

2,742
18
24

votes

3 answers

Is receiving fake torrent data possible?

While downloading a file via a torrent, what will happen if some of the peers send me fake chunks? Also, can any of the peers send me a whole fake file? For example, if I download a .torrent file which should download a file with hash sum A, and a…

man-in-the-middle torrent bittorrent

asked Aug 13 '17 at 23:09

user156092

votes

5 answers

Are all these attacks possible with WiFi MitM or is it over-hyped nonsense?

My dad sent me this video asking if he should be worried about this? The video shows: a wifi AP broadcasting an airport's wifi name security researcher seeing the sites the victim browses security researcher viewing files accessed by victim on…

wifi man-in-the-middle

asked Jan 19 '20 at 11:08

keithRozario

3,571
2
12
24

votes

4 answers

How to verify the checksum of a downloaded file (pgp, sha, etc.)?

Maybe I have been negligent towards the verification of software I download over the Internet, but I (or anybody I ever met) have never tried to verify the checksum of the contents I download. And because of this, I have no idea about how to verify…

hash man-in-the-middle integrity

asked Jul 05 '18 at 09:20

ThankYouSRT

1,275
3
12
15

2 3

…

86 87 Next

Questions tagged [man-in-the-middle]

Further reading