HackMD - Collaborative Markdown Knowledge Base

**What is MITM attack** A man in the middle (MITM) attack is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway. The goal of an attack is to steal personal information, such as login credentials, account details and credit card numbers. Targets are typically the users of financial applications, SaaS businesses, e-commerce sites, and other websites where logging in is required. ![](https://i.imgur.com/52A8v7c.jpg) **MITM attack progression** Successful MITM execution has two distinct phases: interception and decryption. **Interception** The first step intercepts user traffic through the attacker’s network before it reaches its intended destination. The most common (and simplest) way of doing this is a passive attack in which an attacker makes free, malicious WiFi hotspots available to the public. Typically named in a way that corresponds to their location, they aren’t password protected. Once a victim connects to such a hotspot, the attacker gains full visibility to any online data exchange. Attackers wishing to take a more active approach to interception may launch one of the following attacks: * IP spoofing * ARP spoofing * DNS spoofing **Decryption** After interception, any two-way SSL traffic needs to be decrypted without alerting the user or application. A number of methods exist to achieve this: * HTTPS spoofing * SSL BEAST * SSL hijacking * SSL stripping **Man in the middle attack prevention** Blocking MITM attacks requires several practical steps on the part of users, as well as a combination of encryption and verification methods for applications. For users, this means: * Avoiding WiFi connections that aren’t password protected. * Paying attention to browser notifications reporting a website as being unsecured. * Immediately logging out of a secure application when it’s not in use. * Not using public networks (e.g., coffee shops, hotels) when conducting sensitive transactions. For website operators : secure communication protocols, including TLS and HTTPS, help mitigate spoofing attacks by robustly encrypting and authenticating transmitted data. Doing so prevents the interception of site traffic and blocks the decryption of sensitive data, such as authentication tokens. It is considered best practice for applications to use SSL/TLS to secure every page of their site and not just the pages that require users to log in. Doing so helps decreases the chance of an attacker stealing session cookies from a user browsing on an unsecured section of a website while logged in.