A man-in-the-middle (MITM) attack is exactly what it sounds like: an attacker positions themselves between two parties who think they are communicating directly with each other. The attacker can eavesdrop on the conversation, steal sensitive data, or even alter messages in transit -- all without either party realizing it.
How MITM Attacks Work
In a normal connection, your device communicates directly with a server. In a MITM attack, the attacker intercepts this communication by convincing your device to send traffic through them, or by convincing the server that the attacker is you. The attacker then relays messages between both parties, reading or modifying them along the way.
The key challenge for the attacker is getting into the middle of the communication in the first place. There are several well-known techniques for doing this.
Common MITM Techniques
ARP Spoofing
On a local network, devices use the Address Resolution Protocol (ARP) to map IP addresses to physical MAC addresses. ARP has no authentication -- devices trust whatever ARP responses they receive. An attacker on the same network can send fake ARP messages claiming that their MAC address corresponds to the router's IP address. Victim devices then send all their traffic to the attacker instead of the router. Tools like arpspoof and ettercap make this trivially easy on any local network.
DNS Spoofing
Instead of intercepting all traffic, DNS spoofing redirects specific domain lookups to attacker-controlled servers. When you type bank.com, the spoofed DNS response points you to the attacker's server, which serves a pixel-perfect copy of the real site. You enter your credentials, and the attacker captures them while forwarding your request to the real bank to avoid suspicion.
SSL Stripping
Even when a website supports HTTPS, the initial connection often starts as HTTP before being redirected. An attacker in the middle can intercept this redirect and maintain an unencrypted HTTP connection with the victim while making their own encrypted HTTPS connection to the server. The victim sees http:// instead of https:// in the address bar -- but most people do not notice.
Rogue Wi-Fi Access Points
The simplest MITM technique requires no exploitation at all. The attacker sets up a Wi-Fi access point with an enticing name -- "Free Airport WiFi" or a name identical to a legitimate network. Anyone who connects routes all their traffic through the attacker's device. With a laptop and a portable hotspot, this can be set up in minutes at any public location.
BGP Hijacking
At the internet scale, Border Gateway Protocol (BGP) hijacking can redirect traffic for entire IP ranges through an attacker's network. BGP has no built-in authentication, so any network operator can announce routes for IP addresses they do not own. This has been used for cryptocurrency theft, surveillance, and even redirecting traffic for entire countries.
Real-World MITM Scenarios
MITM attacks are not theoretical -- they happen constantly:
- Public Wi-Fi interception -- Coffee shops, hotels, and airports are prime locations. Attackers can capture login credentials, session tokens, and personal data from anyone on the same network.
- Corporate proxy inspection -- Many companies run HTTPS-inspecting proxies that are technically MITM devices. They decrypt employee traffic, inspect it for threats or policy violations, and re-encrypt it. This is usually disclosed in employment agreements, but it means your employer can see all your web traffic.
- Nation-state surveillance -- Governments have used compromised Certificate Authorities to issue fraudulent certificates, enabling large-scale MITM surveillance of their citizens' encrypted communications.
- Compromised routers -- Home routers with default passwords or unpatched firmware can be taken over by attackers, who then modify DNS settings to redirect traffic through their servers.
How TLS Prevents MITM
Transport Layer Security (TLS) is the primary defense against MITM attacks, and it works through several mechanisms:
- Certificate verification -- TLS requires the server to present a certificate signed by a trusted Certificate Authority. An attacker cannot forge a valid certificate for a domain they do not control (assuming the CA system is not compromised).
- Key exchange -- TLS uses algorithms like Diffie-Hellman to establish a shared encryption key without ever transmitting it. Even an attacker who can observe every packet cannot derive the encryption key.
- HSTS (HTTP Strict Transport Security) -- Websites can tell browsers to always use HTTPS, preventing the initial HTTP connection that SSL stripping exploits. Once a browser receives an HSTS header, it will refuse to connect over HTTP for a specified period.
- Certificate pinning -- Critical applications (like banking apps) can pin specific certificates, rejecting connections even if they present a valid certificate from a different CA. This prevents attacks using fraudulently issued certificates.
Defense Strategies
Protecting yourself from MITM attacks requires a combination of tools and awareness:
- Always verify HTTPS -- Before entering any credentials or sensitive information, check that the connection is encrypted. Look for
https://and the padlock icon. Enable HTTPS-Only mode in your browser to automate this. - Use a VPN on untrusted networks -- A VPN encrypts all traffic between your device and the VPN server, making local MITM attacks ineffective. The attacker can see encrypted traffic but cannot read or modify it.
- Be suspicious of certificate warnings -- If your browser warns about a certificate problem on a site you visit regularly, do not dismiss it. This could indicate an active MITM attack.
- Keep software updated -- Updates include support for the latest TLS versions and fix vulnerabilities that MITM attacks exploit. Older TLS versions have known weaknesses.
- Verify network connections -- On public Wi-Fi, confirm the exact network name with staff before connecting. Avoid connecting to open networks without encryption.
MITM attacks exploit the gap between where your data goes and where you think it goes. Encryption, certificate verification, and healthy skepticism about network connections are your best defenses.