Question
What is a Man-in-the-Middle (MitM) attack, and what is the attacker's general goal?
Answer
MitM means the attacker positions themselves between two communicating parties — relaying, eavesdropping on, and optionally modifying their traffic, while both sides believe they're talking directly to each other.
* Mallory sits between Alice and Bob, relaying their traffic. — Miraceti, CC BY-SA 3.0, via Wikimedia Commons. *
The structure:
Victim ←──── MitM ────→ Real server
(sees attacker) (sees attacker)
Both sides think they're talking to the other directly.
What the attacker can do:
| Capability | Example |
|---|---|
| Eavesdrop | Read passwords, cookies, messages |
| Modify | Inject malicious code into responses, alter banking transactions |
| Impersonate | Provide forged login pages to capture credentials |
| Strip security | Downgrade HTTPS to HTTP (SSL stripping) |
The attacker's #1 problem — being invisible:
A successful MitM must forward traffic transparently so neither side notices delays or errors. If you simply intercept and drop, the connection breaks → user notices → switches networks. The art is being transparent while sniffing.
MitM applies at every layer:
| Layer | Example attack |
|---|---|
| Physical / WiFi | Rogue access point ("evil twin") |
| Layer 2 / Ethernet | ARP poisoning (covered here) |
| Layer 3 / IP | BGP hijacking (large-scale) |
| Layer 7 / DNS | DNS spoofing (covered here) |
| Layer 7 / TLS | Certificate forgery, SSL strip |
The fundamental defense:
Mutual authentication — both sides verify each other cryptographically:
- TLS: server presents a certificate signed by a trusted CA → client verifies
- SSH: client checks server's known fingerprint
- Certificate pinning: app rejects all certs except a hardcoded one
- Mutual TLS (mTLS): both sides present certificates
Tip: "MitM" is older terminology. Modern alternatives: "Adversary-in-the-Middle (AitM)" or "On-Path Attacker." All describe the same thing.
Go deeper:
Man-in-the-middle attack (Wikipedia) — catalogs the attack variants (HTTPS spoofing, SSL strip, ARP/DNS spoofing) and the real-world cases (DigiNotar, Comcast injection).
Note saved — thanks!