"We are supported by our readers and may earn a commission when you buy through links on our site"

MiTM Cyber Attacks: How to Protect Yourself

Man in the middle attacks
Man in The middle attacks aren’t as uncommon as you would initially think they are.

Hackers have used techniques such as Man in the Middle attacks since the birth of time.

Of course, that isn’t exactly true but you get the idea.

The principle behind Man in the Middle attacks is rather simple.

A bad guy, or a hacker, finds a way to insert himself/herself right into the middle of a given conversation between any two given parties.

But that’s not all.

After gaining access to the conversation, the hacker can relay each of the party’s messages without any one of the party members knowing that there is a third person present in the conversation.

This is what we call Man in the Middle attacks.

But what does it really mean if we change the context to the internet?

From the online world’s perspective, Man in the Middle attacks mean that hackers, or the middle party, have the capability to read and monitor everything that either party member sends to the other party members.

Hackers can also alter the content that each party member may send to each other.

How Do Man in the Middle attacks Happen?

In the old days, this phrase “Man in the Middle attacks” actually referred to some person who existed in the middle.

Simple as that.

We also know of a guy named General Bob.

Bob liked to dispatch most of his messengers on horsebacks in order to inform Colonel Alice to launch an attack on the left flank.

Then we had the Lady Mallory, a kindle of an evil woman who took a position in the middle and would manage to waylay General Bob’s messengers and then continue to steal the messenger’s message.

She would then change General Bob’s message that General Bob wanted to send to Colonel Alice.

The changed message instructed Colonel Alice to fall back instead of going for the attack.

Then Lady Mallory would send a corresponding response back to General Bob.

The response back actually acknowledged General Bob’s orders which initially wanted Colonel Alice to launch an attack on the left flank.

Shortly afterward, General Bob lost the war.

Moreover, he had to face a magnificent tactical embarrassment as well.


Because General Bob’s left flank had no protection.

Of course, that is still a story.

And we don’t need to spend too much time on it.

Fast forwarding to today, and the real world, online Man in the Middle attacks are a bit different.

But they do tend to take the same form.

MiTm attacks are now more varied than ever.

Any common cases of Man in the Middle attacks would have someone like Mallory, from the above-mentioned story, setting up a fake and malicious wireless access point at some public location.

This public location usually takes the form of a coffee shop and airport waiting areas.

Then, Mallory would give her fake and malicious access point a legitimate looking and sounding name.

Most of the time you would see such Wifi access spots with names such as “official-coffee-shop-wifi” or “free-customer-coffee-shop-wifi”.

As you would expect, people like to take advantage of free Wifi wherever they can find it.

Mallory doesn’t have to wait too long before the coffee shop customers start to connect to her Wifi access point.

Of course, there is a legitimate access point as well, but people would miss it in the case of Man in the Middle attacks.

When that happens, Mallory has effectively inserted herself right into the customers’ data stream that exists between their device and the internet.

This would also allow Mallory to capture all of the customer’s traffic and do whatever she wants to do with it.

If a user isn’t using any encryption technology then that also means that Mallory would now have the opportunity to read all of the user’s online traffic.

As mentioned before, she could also modify the traffic.

Now, such a scenario could lead to many different outcomes.

Let’s discuss some of the outcomes that can take place when Mallory has effectively intercepted a conversation via a free WiFi access point at some public place.

Session Hijacking.

To understand this example, we will first consider a case where the user is using an online webmail service in order to send some email messages.

When the user has logged in to his/her webmail, Mallory helps herself to grabbing a copy of the user’s authentication cookie.

Mallory did that when the authentication cookies tried to make its way to your web browser.

With that done, Mallory can now use that authentication cookie in order to access the user’s webmail too.

If you would like more information on authentication cookies and how they work then you should search the web for how the web actually works.

Remember that the web works a bit differently than how most of us think it works.

In other words, users don’t simply “log on” to the hundreds of websites they visit.

In reality, the user’s web browser makes a request to each website.

Then, that request is sent to the user’s local computer.

After that, the user enters his/her login details or credentials.

Then these make they way to the website server the user is trying to visit.

If the website finds that the login credentials are indeed correct, then that website would respond with something that we call an authentication token.

This usually takes the form of a cookie.

When the user makes more requests from his/her computer, that authentication token or cookie is also sent along with the user’s requests.

This way, the website knows for sure who the user is.

And doesn’t require the user to log in each time the user wants to see another page on the same website.

As you would probably imagine, this authentication cookie is actually a sensitive token.

And very valuable.

This is also the reason why hackers want to steal it.

Replay Attack

We’ll stick with our Mallory example here for a while, so you better get used to her name.

Mallory, or a cybercriminal, also has the ability to perform an online replay attack.

Since Mallory already has all of the user’s data, she doesn’t find it difficult to “replay” any of her previous attacks.

And that makes sense.

If you can do it once, why can’t you do it again?

To take an example, if the user has transferred around 1000 Runescape credit to his/her friend, then if, somehow, Mallory can re-send those packets which comprised the original transfer in order to cause another online transfer.

In the end, the user would lose 2000 credits, instead of 1000.

Altered Content

Hackers usually target important people with mitm attacks.

Let’s keep the webmail example going for a bit longer.

Maybe some random user has managed to get into some trouble and has instructed his/her lawyer to withhold the funds related to a recent legal online transaction.

We have previously established that Mallory has possession of all the packets that comprise that email message.

With that in mind, it is entirely possible that Mallory would use those packets to change the content of the email message.

Mallory could alter the word “withhold” to something like “release”.

You don’t need us to tell you that if Mallory did that, then it would cause a lot of confusion.

Believe it or not, but these type of Man in the Middle attacks are fairly common.

We have mostly seen these in cases such as the Kodi Media Center Add-on Man in the Middle attacks.

On a side note, in order to get every feature and addon possible on kodi and to not get sued if you accidentally watch something pirated, you need a VPN. You can find the 5 best VPN’s for Kodi here.

And remember, this is the kind of fictional attack that Mallory initially used in order to defeat General Bob.

Missing Content

This is just another variant of the previously mentioned Altered Content attack.

The main objective of this kind of attack is to simply cause any content to disappear altogether.

These kind of Man in the Middle attacks usually involve a user/party/device/application who/that is waiting for a signal in order to carry out a task.

If Mallory has managed to get in the middle, then she can potentially make sure that the signal never arrives in the first place.

How To Protect Against Man in the Middle attacks?

As we have mentioned before, hackers can use a ton of ways to carry out these attacks.

These attack can play out in other ways as well but we won’t mention those here.

With that said, if you think about it, then during these Man in the Middle attacks hackers are usually exploiting a few things time and time again.

If you want to protect yourself against Man in the Middle attacks then you must make sure that the following exist on your machine:


This is basically to make sure that the message a user has received has actually come from the sender that the message says it has come from.

Message Integrity

This is to ensure that the message a user has received is in its original state.

And that no one has altered its state since the sender sent the message via his/her device.

Just so that we are on the same page, let’s discuss what do we mean when we say message.

By message we don’t necessarily mean the message that your coach sends you telling you to come to the training ground at 8:00 am sharp.

A message, here, is a generic term.

It could refer to several concepts.

Concepts like complete email messages.

And even data packets that are present much lower in the stack.

The concept remains the same regardless of which type of data we are talking about.

So how do you avoid Man in the Middle attacks and not become a victim to them?

Well, make sure you always take care of the following,

Always Employ HTTPS Wherever You Can

Mitm attacks can take a user’s sensitive information without the user ever knowing about it.

Or more like wherever it is possible.

This just means that you should always try to visit websites which give you the HTTPS icon.

The HTTPS icon is basically a green-colored lock symbol.

It is usually present near the user’s web browser URL address bar.

HTTPS ensures that the user’s connection to any given website is secured via encryption.

Of course, seeing the HTTPS signal doesn’t mean that the user must trust the website absolutely.

Users should still treat it just as they would treat any other website.

The HTTPS icon only indicated that the user’s data is encrypted.

Remember that the data actually has to travel between the user’s device and the website.

Hence if somehow, some technology can encrypt that data, then this gives a lot of security to the user’s sensitive information.

Now, there are a lot of malicious websites on the internet that can play their part in setting the user’s up for those bad Man in the Middle attacks.

Hence, users should always exercise caution about all websites that they visit.

Users should make sure that the website they are visiting isn’t fake.

Coming back to HTTPS, HTTPS makes use of TLS or Transport Layer Security.

Some users incorrectly refer TLS to SSL which is Secure Sockets Layer.

The correct understanding is that SSL is actually a predecessor to the newer TLS.

But somehow, the names refuse to go away and hence the community is stuck with the two terms.

HTTP and TLS work with each other in combination in order to produce HTTPS.

As mentioned before, HTTPS provides both non-repudiation and encryption.

When the user’s web browser connects to a given HTTPS website for the first time, it sort of negotiates with the remote server.

It is during that process the web browser takes a look at and examines the remote server’s certificate.

Why the web browser does that?

It does that to validate the certificate.

Because of this process, the web browser knows that the user is trying to connect to the right site.

Or at least the website it thinks it is connecting too.

This takes care of the non-repudiation part.

Also, during the negotiation, the web browser generates a set of specific session encryption keys.

These are basically the encryption keys which are then used throughout the user’s subsequent session.

Encryption keys are used to encrypt data.

This, in turn, ensures the integrity of the user’s message.

Going back to Mallory again.

If Mallory wants to successfully modify and/or alter the data that the user receives from the remote server, then Mallory has to have the possession of server session keys and browser session keys.

She must have both.

Neither of these keys are actually ever transmitted.

What does that imply?

It implies that Mallory would then have to make sure that she has control over both the server and the client.

And if that is ever the case then she wouldn’t really need to launch those Man in the Middle attacks now, would she?

So how do you make sure that you are using HTTPS at all potential instances?

Well, you can use some useful web browser plugins which help you do that.

There is one specific one called HTTPS Everywhere.

This plugin will help you to use HTTPS whenever HTTPS is available on a given website.

Today, many websites support HTTPS.

But they don’t necessarily force the web browsers to use it.

The operators of those websites need to configure their websites as such so that they would force HTTPS.

Plugins such as HTTPS Everywhere help users to force sites to force HTTPS.

Always Make Sure You Are Using A Web Browser Which Supports Public Key Pinning

As mentioned before some of these malicious  MiTm attacks are quite elaborate.

But modern protection technologies such as encryption and TLS hinder hackers from exploiting online users.

And we have already said that hackers find it very hard if not impossible to break encryption.

Hence the easier way for hackers is to mimic a legitimate website instead.

Keep in mind that only advanced hackers can launch such attacks.

Just to take an example, we know that web browsers trust TLS certificates.

Because an organization by the name of Certificate Authorities, CA, signs them.

And web browsers trust Certificate Authorities.

However, if Mallory manages to successfully compromise a CA then she can proceed to issue valid and legitimate certificates for any online domain she likes.

Moreover, her malicious domain would have no problems gaining trust from web browsers.

Once Mallory has managed to successfully impersonate a genuine and legitimate website, then all she has to do is to get the target user to visit that malicious website.

The only challenge left is to make sure that users go the website using only the common/standard phishing techniques.

We have a rather known example of this in the form of a case that happened in 2011.

In 2011, hackers compromised the Dutch CA by the name of DigiNotar.

Then they created genuine-looking certificates in order to deceive a large number of online Gmail users from Iran.

These Iranian users of Gmail mistakenly gave up their sensitive information such as Google usernames and passwords to hackers.

And that’s why we have HTTP HPKP or HTTP Public Key Pinning.

This is basically a method with which website owners can actually inform web browsers which public keys their website would want to use.

So when a web browser visits that same website and can’t find the public key that the owner specified or if that public key is not on the list of trusted public keys, then the web browser gets the indicated that the website is not legit.

Or at the very least, the website’s TLS certificate isn’t valid.

The other thing readers have to remember here is that the server owner has to complete the process of pinning.

Users can protect themselves by using a web browser that has support for Public Key Pinning.

At the time of writing this guide, Chrome (its version 56), Firefox (its version 32) and of course Opera (its version 33) currently support Public Key Pinning.

And no, we didn’t really forget to include Microsoft Edge and Internet Explorer.

They actually do not support Public Key Pinning.

Moreover, you should know that Mozilla Firefox comes with a setting that is present in its about: config page by the name of security.cert_pinning.enforcement_level;1.

This setting allows users to disable HPKP.

The real question is, should you disable HPKP?


But this setting is useful if a user wants to test if his/her web browser actually supports HPKP.

You can go to this HPKP testing URL website to check your web browser.

This website will first present the user with HPKP headers.

It also presents an invalid public key.

As a result of this setup, if the user’s web browser supports HPKP, the web browser will display, to the user, an error message.

Try To Use A VPN Service Provider At All Times

The best defense against MitM attacks is a VPN service. Sign up for one right now.

Perhaps the best way to protect your data, privacy, and identity on the internet is to use a VPN service.

A VPN is a blessing that no many people want to be grateful for.

Let’s see how it works.

A VPN, or a Virtual Private Network basically creates a tunnel that exists between the user’s device and the VPN server.

It then encrypts this tunnel.

All of the user’s traffic then goes through this VPN tunnel.

What does that mean for the user?

It means that even if the user is forced to visit a non-HTTPS version of a given website or even if hackers have managed to trick the users into using a malicious website or a free wifi access point, the user would still manage to maintain a degree of protection vs many types of MiTm attacks.

Let’s consider that free WiFi access point issue a bit more closely.

If a user has connected to our Mallory’s malicious and fake Wifi access point, then Mallory would actually have the ability to see the user’s traffic.

All of it.

But if a user is using a VPN service then the user would have basically encrypted all of his/her online traffic with the help of a VPN service.

And when that is the case, then Mallory won’t have the ability to read the user’s data.

In other words, the encrypted data wouldn’t make any sense to Mallory.

Mallory will actually receive a bunch of unreadable gibberish.

Or encrypted blobs.

These blobs won’t provider Mallory with any meaningful data.

So should you use a VPN service all the time?

If possible then yes.

But if you are regularly using free Wifi access points then using a VPN service is an absolute must.

IPVanish is a pretty good VPN service provider if you are on the lookout for one.

It is our highest ranked VPN service provider and for good reason.

IPVanish is,

  • Secure
  • Reliable
  • Safe
  • Trusted
  • Fast
  • A zero-log VPN service provider
  • One of the few VPN service providers that come with a genuine money-back guarantee

So sign for IPVanish from the official website, click here.

Make Sure You Are Using A Web Browser That Has Support For HTTP HSTS or HTTP Strict Transport Security

Now, what is HTTP HSTS?

There is no need to emphasize the point that HTTPS is probably the best thing that could have happened to the internet as far as preventing MiTm attacks are concerned.

With that said, HTTPS isn’t invulnerable.

It too has weaknesses.

Or rather potential weaknesses.

You see if a given website owner wants to force visitors to make use of HTTPS, the website owner has a total of two options.

The first option is to simply go ahead and shut down the HTTP port 80 unencrypted connection altogether.

What does that mean for the end user?

That means that people who would attempt to connect to the website by making use of HTTP:// would simply get nothing.

Moreover, the site that has disabled HTTP by shutting down port 80 would also time out.

But here is the problem:

Website owners don’t want to disappoint their visitors.

In other words, they don’t want people to go through a negative experience.

So what do they do instead?

They leave the part about shutting down port 80.


They leave it open.

Then they use that port 80 to send each web browser an HTTP 301 redirect code.

This code tells the web browser to change course and head towards the https:// address.

As far as the real world goes, this method works really well.

But hackers are a clever bunch of people.

They will always manage to find opportunities where initially there are one.

And hence, this method provides them an opportunity to execute the fabled Downgrade Attack.

They can launch as during the HTTP 301 redirect process.

What does a downgrade attack do?

A downgrade attack can potentially force a given web server to use much weaker online cryptographic ciphers.

This allows the hackers to launch subsequent MiTm attacks using much less effort and resources.

So what do websites which employ HSTS do differently?

First of all, they send headers to the web browser during the very first time the user tries to connect to the website.

Then they direct the web browser to make use of HTTPS.

After receiving the HTTPS command, the web browser disconnects the user’s existing session.

After that the web browser goes ahead and reconnects, this time using HTTPS.

For some users, they may not seem like a huge difference.

But it is.

It greatly reduces the probability of all MiTm attacks.

Moreover, it also lessens the potential harm that can come from any attack vector that is related to HTTPS redirect or standard HTTP.

Our research shows that almost all modern web browsers have support for HSTS.

But as you might already know, there are a ton of web browsers currently available in the market today.

Hence, you would do well if you spend some time and confirm if your web browser supports HSTS or not.

Nasty Man in the Middle attacks

Not all MiTm attacks are complicated.

Some are inelegant.

And rather basic.

To take an example, Mallory (her again) doesn’t need a lot of technical expertise to set up two online email addresses.

These email addresses could match the real email addresses of Bob and Alice.

Then Mallory could initiate a conversation with either one of them.

All the while Mallory could purport to be someone else.

A lot of email clients on the market only should the email sender’s names.

In other words, they don’t show the email sender’s actual email address.

You might think this is a rudimentary ruse but believe it or not, it works more often than not.

If Mallory’s plan goes according to plan then it should become possible for her to operate both person’s email inbox and still remain in the middle of Bob’s and Alice’s conversation for an indefinite amount of time.

How do you defend against that?

Well, the first thing you should do against such types of MiTm attacks is to exercise vigilance.

There are always telltale signs that you should look out for.

Such as uncommon language.

Moreover, while checking and reading emails, if you find something suspicious you should just hover over your email sender’s email address.

Your email service will generally show you more information about the sender which can further give you clues whether the sender is real or not.

Best Known Examples Of Man in the Middle attacks

We have already touched on many different types of MiTm attacks.

We have talked about MiTm attacks via Wifi networks and those replay MiTm attacks.

But as we alluded to before, there is literally no limit to the number of MiTm attacks techniques that hackers can use.

And hackers do like to exercise a lot of creativeness when it comes to these MiTm attacks.

As we have mentioned before, any man in the middle attack will have two or even more parties.

In the process, the two or more parties usually will be communicating with each other.

This process usually has everything that a hacker could need in order to intimidate one of the participants of the conversation.

Hackers can do that by injecting themselves in the middle of that conversation.

So here are a couple of more types of MiTm attacks.

ARP Poisoning

ARP stands for Address Resolution Protocol.

Most people in the industry consider it as the unsung hero of the IP networking process.

It ensures that all packets arrive at their intended and exact network card that they are destined for.

Here is the thing with packets:

Once they reach the destination LAN, these packets need to know the precise MAC or Media Access Control address of the specific network that they are destined for.

How do these packets accomplish that task?


They have to bring ARP into the question.

More precisely, an ARP who-has request.

This request basically asks each and every computer on the given local network the who-has the specific packet’s destination IP address.

Theoretically speaking, the present network card which has been assigned the IP address usually responds with its Media Access Control address.

And because of that packets get delivered.

In the real practical world though, things are a bit different as always.

See, the ARP protocol doesn’t really have an authentication method built into it.

Hence our Mallory here could may well respond that she herself has that IP address.

And hence those packets, i.e the traffic, will eventually get delivered to her.

Such maneuvers make this kind of attack a bona fide man in the middle attack.

But before that can happen, Mallory would have to make sure that she can forward the packet to its original and correct Media Access Control address too.

Port Stealing

This one belongs to the advanced types of MiTm attacks.

Hackers can use this type of MiTm on larger networks.

In other words, the network that employs network switches.

Now, the thing you need to understand about switches is that they contain a CAM table.

Or Content Addressable Memory table.

This table records all the relationships between the Media Access Control address of the given network cards that the table services.

The table also records the MAC addresses’ corresponding ports.

Assuming that the user has installed no other security setup, then the system builds the CAM table dynamically.

It also rebuilds the CAM table with each and every packet that the switch sees.

A hacker with enough skills could actually spoof a packet with the target’s Media Access Control address.

After that, the specific switch would actually record that association.

What does all of this lead to?

It would mean that all subsequent packets which are destined for the target’s or victim’s machine will actually be sent to the hacker’s address.


All MiTm attacks are hard to detect.

And because of that, security experts have not managed to come up with a silver bullet defense against Man in the Middle attacks.

But why can’t we defend against Man in the Middle attacks?

Well, the inability to properly defend against Man in the Middle attacks stems from the simple fact that there are so many types of Man in the Middle attacks.

In fact, there is no end to the different techniques hackers can use in various Man in the Middle attacks.

And as we mentioned before, bad guys are very good at coming up with new types of Man in the Middle attacks.

The simple process of fetching a data packet from the user’s computer and then delivering it to a remote server somewhere far away on the internet involves a number of protocols.

This process also involves lots of applications and of course, lots of devices.

Devices such as routers and of course switches.

Any hacker has the opportunity to exploit any one of these devices or weak points.

Therefore, the best thing the user can do is to not become the low hanging fruit.

In other words, they should take all the steps that make it harder for hackers to turn them into victims via Man in the Middle attacks.

Most Man in the Middle attacks target a large number of online users.

That provides hackers the best chances of a successful MiTm.

Of course, there is always a chance that someone is targeting you specifically.

If that is the case, then your adversary may well launch a MiTm attack on your machine.

Regardless, the steps we have talked about in this guide should help you protect yourself from all kinds of Man in the Middle attacks.

And remember, the easiest way to protect against all types of hackers is to use a VPN service provider.

The best VPN service provider to protect against Man in the Middle attacks is IPVanish.

To sign up for IPVanish from the official website, click here.


Zohair A. Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.