Cyber Threats & Countermeasures

Man-in-the-Middle Attack (MITM)

About 4 min read

Last updated: 2026-03-05

What Is a Man-in-the-Middle Attack

A man-in-the-middle attack (MITM) is an attack technique where an attacker inserts themselves between two communicating parties to intercept and potentially alter the communication. The victims believe they are communicating directly with the legitimate party, making the attack difficult to detect.

For this attack to succeed, the attacker must insert themselves into the communication path. Public Wi-Fi, ARP spoofing, DNS spoofing, and rogue access points are common methods for achieving this position.

Common Attack Techniques

Man-in-the-middle attacks employ several representative techniques.

  • ARP Spoofing: Sending forged ARP (Address Resolution Protocol) packets on a local network to replace the communication partner's MAC address with the attacker's. This enables interception of all traffic within the same network.
  • DNS Spoofing: Returning forged DNS responses to redirect the victim to a fake server. Even when typing the correct URL, the victim connects to the attacker's server. DNS cache poisoning can affect all users of a targeted DNS server.
  • SSL Stripping: Downgrading an HTTPS connection to HTTP. The attacker maintains an HTTPS connection with the real server while communicating with the victim over HTTP. The victim sees no lock icon but may not notice on familiar sites. HSTS is an effective countermeasure.
  • Rogue Access Points: Setting up a fake Wi-Fi access point with a name similar to a legitimate one (e.g., "Cafe_WiFi_Free"). All traffic from connected users passes through the attacker's device.

Defense Strategies and the Importance of Encryption

The most fundamental defense against MITM attacks is thorough encryption and authentication of communications.

Communication Encryption

  • Use TLS 1.3: The latest TLS 1.3 has improved handshake resistance to downgrade attacks. TLS 1.0/1.1 have known vulnerabilities and should be disabled.
  • Enable HSTS: Forces the browser to always use HTTPS, preventing SSL stripping attacks. Registering for HSTS preload provides protection from the very first connection.
  • Certificate Pinning: Pinning expected certificates in the application prevents acceptance of forged certificates. Commonly used in mobile apps and API clients.

Authentication

  • Two-Factor Authentication: Even if credentials are intercepted, the attacker cannot log in without the second factor. Hardware keys (FIDO2) are the most resistant to MITM attacks.
  • Mutual TLS (mTLS): Both client and server authenticate each other with certificates. Used in API communication and microservice architectures.

Practical Self-Defense on Public Wi-Fi

Public Wi-Fi is the highest-risk environment for MITM attacks. Making the following practices habitual can significantly reduce your risk.

  • Keep VPN Always On: A VPN encrypts your traffic, so even if you connect to a rogue access point, your communication content is protected.
  • Disable Auto-Connect: Turn off automatic Wi-Fi connection on your device. Prevent automatic connections to unknown access points.
  • Verify the Network Name: Confirm the official Wi-Fi network name with staff. Do not connect to similarly named networks.
  • Avoid Sensitive Operations: Refrain from online banking, credit card transactions, and entering important passwords on public Wi-Fi. Use mobile data for sensitive operations.
  • Forget Networks After Use: Remove public Wi-Fi networks from your saved networks list after use. This prevents automatic reconnection on future visits.

To learn more about this topic, see Public Wi-Fi Risks: 7 Ways to Stay Safe on Free Networks.

Common Misconceptions

HTTPS makes MITM attacks impossible
HTTPS is a strong defense when properly implemented, but MITM attacks can still succeed when applications ignore certificate validation, use outdated TLS versions, or users dismiss certificate warnings.
MITM attacks require being on the same Wi-Fi network
ARP spoofing is a local network attack, but DNS spoofing and BGP hijacking can be executed remotely. ISP-level traffic interception and malware-based proxy configuration changes are among many techniques that do not require physical proximity.
Share

Related Terms

TLS/SSL Cryptographic protocols that encrypt internet communications to ensure confident… HTTPS A protocol that adds TLS encryption to HTTP, securing communication between the … VPN (Virtual Private Network) A technology that encrypts internet traffic and routes it through a server in an… DNS Leak A phenomenon where DNS queries bypass the encrypted VPN tunnel and are sent dire… Public Key Cryptography A cryptographic method that uses a mathematically linked pair of keys - a public… Digital Certificate An electronic document issued by a trusted Certificate Authority (CA) that binds…

Related Articles

Public Wi-Fi Risks: 7 Ways to Stay Safe on Free Networks Learn about the dangers lurking in free Wi-Fi at cafes and airports, and practical measures to prote… How HTTPS and TLS Work: The Encryption Behind Secure Communication Understand how HTTPS and TLS encrypt your communication, the role of certificates, TLS version diffe… Why Time Synchronization Matters - NTP and the Failures Caused by a One-Second Drift Learn about NTP's Stratum hierarchy, why TLS certificates, TOTP, and Kerberos depend on accurate tim…
← Glossary