A Man-in-the-Middle (MitM) attack occurs when an attacker secretly positions themselves between a user and a web server, intercepting — and potentially altering — the communications flowing between them. Both the victim and the server believe they are communicating directly with each other.
How MitM Attacks Work
Common MitM scenarios include:
- ARP spoofing — The attacker sends fake ARP messages on a local network, redirecting traffic through their machine.
- Rogue Wi-Fi hotspot — A fake public Wi-Fi network tricks users into connecting. The attacker controls all traffic.
- SSL stripping — The attacker downgrades an HTTPS connection to HTTP between themselves and the victim, while maintaining HTTPS with the server.
- DNS spoofing — Fake DNS responses redirect users to malicious servers.
What Attackers Can Do
- Read credentials, messages and private data in transit.
- Inject malicious content into web pages.
- Record and replay sessions.
How HTTPS Prevents MitM
TLS (HTTPS) prevents MitM attacks by authenticating the server via a certificate signed by a trusted Certificate Authority. An attacker intercepting HTTPS traffic would need to present a valid certificate for the domain — which is impossible without compromising the CA or stealing the site's private key.
Additional Defences
- HSTS — Forces browsers to always use HTTPS, preventing SSL stripping.
- Certificate pinning — Applications accept only specific certificates for their domain.
- VPN on public Wi-Fi — Encrypts traffic even on untrusted networks.