Man-in-the-Middle Attacks

Every communication is an act of trust. You trust that the person on the other end is who they claim to be, that your words arrive unaltered, that no one else is listening. A man-in-the-middle attack exploits exactly this trust.

The attacker positions themselves between two parties—invisibly. You think you're talking to your bank. Your bank thinks it's talking to you. In reality, both of you are talking to someone in the middle who reads everything, can change anything, and neither of you knows they exist.

The Fundamental Problem

MITM attacks succeed not through technical wizardry but through exploiting a basic assumption: that when you talk to someone, you're actually talking to them.

Without some way to verify the identity of who you're communicating with, you have no way to know if there's someone in between. The attacker doesn't break your encryption or crack your password. They simply insert themselves into the conversation before any of that matters.

This is why MITM attacks are so dangerous. They don't attack the security of your communication—they attack the assumption that you're communicating with who you think you are.

How Attackers Get in the Middle

There are many ways to position yourself between two parties. All of them exploit the trust inherent in network communication.

ARP spoofing poisons the local network's address tables. Your computer asks "who has this IP address?" and the attacker answers "I do." Now traffic meant for someone else flows through the attacker first. On a local network, this is devastatingly simple.

DNS spoofing corrupts the Internet's phone book. You ask "what's the address for my-bank.com?" and the attacker answers with their own server's address. You navigate to what looks like your bank but isn't.

Rogue WiFi access points are perhaps the most elegant attack. You see "Starbucks WiFi" and connect. But you're not connecting to the coffee shop's network. You're connecting to someone pretending to be the coffee shop's network. Every packet you send flows through them.

DHCP spoofing hijacks the very process of joining a network. When your device asks "how do I connect to this network?", the attacker answers faster than the real server. They tell your device to route all traffic through them.

The common thread: these attacks don't break anything. They redirect trust.

Defeating Encryption

HTTPS exists specifically to prevent man-in-the-middle attacks. The certificate system lets you verify you're actually talking to who you think you are. So how do attackers bypass it?

SSL stripping prevents encryption from ever starting. When you type "bank.com" into your browser, your first request goes out unencrypted. The attacker intercepts it, connects to your bank over HTTPS themselves, then maintains an unencrypted HTTP connection with you. You never see the padlock because you never got to HTTPS in the first place. The attacker speaks encrypted with your bank and plaintext with you—translating in between.

Certificate warnings are the system working correctly—and users defeating it. The attacker presents their own certificate. Your browser screams that something is wrong. You click "proceed anyway" because you've done it before and nothing bad happened. Now the attacker's certificate is trusted, and the MITM is complete.

Compromised certificate authorities are the nightmare scenario. If an attacker obtains a legitimate certificate for a domain they don't own—through hacking a CA or social engineering—they can impersonate that site without any warnings. Your browser trusts the certificate because it's technically valid.

Where MITM Attacks Happen

Public WiFi is the classic hunting ground. Airports, coffee shops, hotels—anywhere people connect to networks they don't control. Attackers set up convincing access points and wait. Everything flows through them: passwords, emails, banking sessions.

Compromised routers turn homes and offices into surveillance platforms. Consumer routers are notoriously insecure. Once compromised, every device on that network is exposed.

Local network access enables attackers who get onto your corporate or home network to poison ARP tables and intercept traffic between any two parties on that network.

Infrastructure-level interception happens when the attacker is your ISP or a nation-state. They don't need clever tricks—traffic already flows through them. Without end-to-end encryption, they see everything.

Detecting the Invisible

Well-executed MITM attacks are designed to be invisible. But some signs leak through.

Certificate warnings are the most obvious—but only if you don't ignore them. Unexpected HTTPS downgrades to HTTP. Unusual latency or network behavior. Authentication prompts that appear when they shouldn't.

Network monitoring can catch ARP spoofing attempts, DNS response inconsistencies, and unusual traffic patterns. But detection requires actively looking—and attackers who control the network can often hide their tracks.

Defense in Layers

No single defense stops all MITM attacks. Protection comes from layers.

Never ignore certificate warnings. They exist for exactly this reason. A certificate warning is your browser telling you that someone might be in the middle. Trust it.

Use HTTPS everywhere. Browser extensions can enforce HTTPS connections. Websites can deploy HSTS to force encrypted connections. HSTS preloading eliminates the first-visit vulnerability entirely.

VPNs on untrusted networks create an encrypted tunnel that bypasses local MITM attacks. The coffee shop attacker can intercept your traffic, but if it's encrypted to a VPN server, they can't read it.

Certificate pinning tells applications to only accept specific certificates for specific sites. Even if an attacker has a "valid" certificate from a compromised CA, pinning rejects it.

Mutual TLS requires both sides to prove their identity. The server verifies the client; the client verifies the server. There's no middle ground for an attacker to occupy.

Network security measures address the infrastructure layer: dynamic ARP inspection prevents spoofing, DNSSEC validates DNS responses, WPA3 secures WiFi authentication.

Beyond Eavesdropping

MITM attacks aren't just about reading your traffic. The attacker can modify it.

They can inject malware into software downloads—you think you're installing a legitimate program, but it's been tampered with in transit. They can modify financial transactions. They can inject content into web pages. They can capture credentials and use them immediately for account takeover.

The position of being in the middle is powerful. Attackers use it not just to spy but to act.

Legitimate Uses

Some MITM techniques have valid applications.

Corporate security tools inspect encrypted traffic for malware—operating as authorized MITM on company networks. Network troubleshooting sometimes requires traffic interception. Security researchers use these techniques to understand vulnerabilities.

These uses raise privacy questions even when legal and authorized. The power to intercept is the power to abuse.