What is a man-in-the-middle (MITM) attack?

Tips & tricks
9 mins
Two smiley faces with a skull between them.

A man-in-the-middle attack (also described as monster-in-the-middle, or MITM) describes a very specific attack in which the attacker sits between the two victims (in this case, you and the server). Both sides are victims because both sides are tricked into thinking they are communicating directly with each other when in fact they are talking through a third party, the attacker.

The DNS system is a common place for such an attack. The MITM would take place between you at the DNS server, with the same effect as you talking to a malicious or hacked server. There is no way of knowing whether the DNS server is returning the correct IP address, as they are not cryptographically signed, so it’s possible you might end up on the wrong server, or the server of the attacker, when you type in a web address.

Of course, in reality, a man-in-the-middle attacker does not have to be a man, monster or even a single person. It could be a group of people, but it’s most likely simply a piece of software operated by a nefarious individual or group.

Jump to…
Common types of man-in-the-middle attacks
How to prevent man-in-the-middle attacks for web browsing
How to prevent man-in-the-middle attack for messaging
Famous MITM (man-in-the-middle) attack examples
Protect yourself
FAQ: About man-in-the-middle attacks

Common types of man-in-the-middle attacks

There are mainly 7 types of man-in-the-middle attacks. They typically take place in two phases: the interception and decryption of the traffic.

Interception

The interception phase refers to when the man-in-the-middle attacker intercepts the data transfer between a client and the server. Here are some common man-in-the-middle attacks which happen during the interception phase.

IP spoofing

In IP spoofing, the attacker spoofs the IP headers of the TCP packets transferred between two devices and redirects the traffic to their chosen destination, such as a fake website. It is the most commonly used method to gain access to a target’s network.

ARP spoofing

In ARP spoofing, attackers manipulate the address resolution protocol, or ARP, which connects an always-changing IP address to a fixed media access (MAC) address. It sends falsified ARP messages over a local area network. When its MAC address is connected to an authentic IP address of a computer or server on a network, the attacker receives any data that is intended for that IP address.

DNS spoofing

When you enter expressvpn.com into your browser bar, your computer looks up the IP address of expressvpn.com in a global database called DNS, which acts like a phone book for websites. In DNS spoofing, the attacker alters the DNS records and sends victims to a website different from the one they’re intending to visit. DNS spoofing is also called DNS poisoning. It’s a common type of DNS hijacking.

Decryption

In the decryption phase, attackers decrypt the data they have intercepted previously and use it to their advantage.

HTTPS spoofing

In HTTPS spoofing, an attacker lures the target into visiting a fake website which has a domain similar to an authentic one. This is done by using special characters that look identical to the English alphabet. For example, the Cyrillic “а” looks identical to the Latin “a”.

SSL BEAST

SSL BEAST, short for Browser Exploit against SSL/TLS, exploits a vulnerability in the TLS 1.0 protocol and older SSL protocols. It allows attackers to compromise encrypted HTTPS client-server sessions and obtain authentication tokens.

SSL hijacking

In an SSL hijacking, an attacker intercepts a connection and generates fake SSL/TLS certificates for the website you visit. This tricks the victim into believing that they are visiting a secure HTTPS site.

SSL stripping

In an SSL stripping, an attacker downgrades the security between the user and the website into an unencrypted format. In other words, it turns an HTTPS secure connection to a less secure encrypted HTTP connection.

How to prevent man-in-the-middle attacks for web browsing

1. Visit only HTTPS websites

HTTPS (Hypertext Transfer Protocol Secure) does two things: It encrypts the traffic between you and the site you are visiting, and it provides you with authentication that the site you are visiting is really the site you intend to visit. You can tell if a site uses HTTPS, as a lock symbol will appear in your browser bar.

In the case of DNS, the solution to the MITM problem is HTTPS .

To achieve this, the owner of the site is required to register their encryption keys with a Certificate Authority (CA). The keys and registrations are made public to ensure that if a certificate is issued incorrectly, the owner can easily find out, as happens to Google frequently. You can look up anybody’s CA certificates using Google’s online transparency tool. You just have to type in their URL.

So as long as every site uses HTTPS, and as long as we check each site we visit for the lock in the browser bar, we are for the most part safe from these man-in-the-middle attacks.

2. Use browsers that support HSTS

When you first connect to an HSTS website, the website instructs your browser to only ever connect through HTTPS in the future and never connect through any unencrypted means. This only works, however, if the first time you connect to the site you are not already being attacked.

When properly implemented, HSTS ensures that all future connections are not only encrypted but authenticated with the same key, meaning that even in the unlikely event an attacker could trick a browser into an encrypted connection, such a connection would fail.

Some popular, high-profile websites do go a step further and have persuaded developers of major browsers to include a special rule into their software to ensure that even a first-time connection is made over an encrypted channel.

How to prevent man-in-the-middle attack for messaging

Man-in-the-middle attacks are not limited to browsing. They are a threat wherever encryption is used, such as email or chat messaging. In encrypted chat and email, the strategy of the attack is similar to that of web browsing, but the defense is slightly different.

1. Use a VPN

Instead of “trusting” the encryption key of the server you are connecting to for the first time, your VPN software comes preloaded with its own certificate authority. Your VPN will only connect to a server that is able to present a signed certificate from the VPN provider.

Read more: How ExpressVPN apps confirm they’re talking to ExpressVPN servers

2. Use off-the-record messaging (OTR)

Off-the-record messaging is a method of sending anonymous messages to keep your identity hidden and secure.

When OTR chat is initiated, encryption keys are exchanged between the users. If an attacker places themselves in the middle of two users, they could set up two separate encrypted chats with the two victims, making them believe they are talking directly to each other.

As Certificate Authorities don’t exist for chat apps, the two users need to verify their keys manually to ensure they are indeed talking directly to each other. They can do this by listing their keys on their website, business card, or communicating it over any secure channel that the attacker would not have access to.

3. Use encrypted chat apps

Chat applications that offer encrypted chats between their users also require a mechanism to protect against MITM. In Signal for example, you can see a long string of numbers for each chat by clicking on your contacts and selecting “View Safety Number.” One half is the fingerprint of your own key, the other that of your contact.

Read more: The best messaging apps for privacy and security in 2023

4. Set up Pretty Good Privacy (PGP)

PGP is the gold standard in encryption. It is used to encrypt text, emails, and files. It can also be used to verify the integrity of any kind of data.

Since anyone can create a PGP key, an attacker might simply distribute a key in the name of an intended victim. Now, if anyone tries to communicate with the victim, they actually end up communicating with the attacker, who will forward the messages to the victim. Both parties think that since they are using PGP, they are secure, but instead they are outright sharing their messages with the attacker.

PGP keys are commonly uploaded to keyservers, where they become publicly visible. To defend against false keys, PGP uses a feature called key signing. This works by getting several of your colleagues and trusted friends to sign your key. Working on the principle everyone on the internet is connected through less than four people, it’s likely that someone you trust has signed a stranger’s key.

In practice, however, keys are not commonly signed, and you will still need to rely on authenticating your chat partner yourself.

Some chat apps, such as Signal and Telegram, allow you to verify the fingerprint of your conversation partner and, therefore, have some mechanism to detect man-in-the-middle attacks.

Other encrypted message platforms, such as iMessage, do not have these features. They leave you in the dark about such attacks, so you are forced to rely on the service to defend you, somehow.

Famous MITM (man-in-the-middle) attack examples

The Babington Plot

Happening in 1586, the Babington Plot is a classic example of a man-in-the-middle attack, long before computers were invented. Correspondence between Mary Stuart, Queen of Scots, and her supporters surrounding a plot to assassinate Queen Elizabeth I were intercepted by a third party. It was deciphered and revealed that she gave her support for the assassination of Elizabeth, leading to her own demise.

Belkin

In 2015, Belkin’s wireless routers were found to have several vulnerabilities. Attackers could spoof DNS responses to cause devices to contact attacker-controlled hosts or make unintentional requests to the web server.

Nokia

In 2013, the Finnish tech giant performed a man-in-the-middle attack by decrypting the user data that passed through secure HTTPS connections on some of its phones. It claimed it was to compress data and accelerate the loading of web pages.

DigiNotar

In 2011, attackers in Iran gained access to the systems of Dutch company DigiNotar and performed a man-in-the-middle attack against Google. Within a month, DigiNotar was taken over by the Dutch government and shut down.

Equifax

Equifax suffered a data breach in 2017. Subsequently, they set up a website called equifaxsecurity2017.com to give information and resources to affected customers. Attackers saw a weakness in the website; they conducted DNS and SSL spoofing and redirected users to a fake website.

Protect yourself

Checking that the sites you visit are using sufficient encryption is the only effective defense against man-in-the-middle attacks.

For sites you regularly visit, the HTTPS Everywhere extension will make sure every time you connect to the site, it is over an encrypted connection. Doing so ensures an attacker cannot trick you into entering information to a server that merely impersonates the server you wanted to be connected to.

When the green lock is missing, under no circumstances should you enter any personal information such as email addresses or passwords. If there is no green lock on display, try again later, connect through a VPN, or reach out to the website operator.

FAQ: About man-in-the-middle attacks

What type of threat is a man-in-the-middle attack?
How are man-in-the-middle attacks detected?
What are the common tools for man-in-the-middle attacks?
What is another name for a man-in-the-middle attack?
How often do man-in-the-middle attacks happen?
Phone protected by ExpressVPN.
Protect your privacy with the best VPN

30-day money-back guarantee

A phone with a padlock.
We take your privacy seriously. Try ExpressVPN risk-free.
What is a VPN?
Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.