The Two Phases of a MITM Attack
Every MITM attack has two phases: interception (getting traffic to flow through the attacker) and decryption (making that traffic readable). Interception alone on an HTTPS connection yields encrypted ciphertext; the attacker also needs to break or bypass the encryption to exploit it.
Interception Techniques
ARP Poisoning (local network): The attacker sends gratuitous ARP replies that associate their MAC address with the router's IP and the victim's IP. Traffic between the victim and the internet routes through the attacker's machine. Effective on any LAN or Wi-Fi segment without Dynamic ARP Inspection.
Evil Twin / Rogue Access Point: The attacker creates a Wi-Fi network with the same SSID as a legitimate one. Devices that auto-connect (or are deauthed from the real AP) connect to the attacker's AP instead, making the attacker the network gateway for all traffic. See the Evil Twin guide.
DNS Poisoning / Hijacking: The attacker corrupts DNS resolution so the victim's browser connects to the attacker's IP when requesting a legitimate domain. Effective even when the attacker has no presence on the victim's local network.
BGP Hijacking: At the internet routing level, an attacker announces more-specific prefixes for a victim's IP range, causing ISP routers worldwide to route traffic through the attacker's AS. Requires control of a BGP-speaking router. Used in high-profile nation-state and large-scale attacks.
SSL Interception (legitimate use): Corporate firewalls and DLP systems perform intentional MITM using a trusted root CA installed on all managed devices. The firewall terminates TLS, inspects content, and re-encrypts. From a technical standpoint, identical to an attack — the distinction is authorization.
Decryption / Exploitation Techniques
SSL Stripping: The attacker intercepts an HTTP request that would redirect to HTTPS, and serves the HTTP version to the victim while maintaining an HTTPS connection to the real server. The victim sees HTTP (no padlock); the server thinks it's talking to a normal client. Defeated by HSTS — once a browser has seen the HSTS header for a domain, it refuses to load it over HTTP.
Certificate Spoofing: The attacker presents a forged certificate for the victim domain. The browser rejects it unless the attacker has a certificate from a trusted CA (possible if a CA is compromised, or if the attacker has installed their root cert on the victim device). The browser's certificate warning is the primary user-visible defense — never ignore it.
Passive Interception: On unencrypted HTTP connections or plaintext protocols (FTP, Telnet, POP3), no decryption is needed — the attacker reads plaintext directly.
Defenses
- HTTPS everywhere: Encrypts traffic so interception yields unreadable ciphertext. Not foolproof against SSL stripping or cert spoofing, but the baseline requirement.
- HSTS (HTTP Strict Transport Security): Browsers that have seen the HSTS header refuse to load the site over HTTP at all, defeating SSL stripping. HSTS preloading hardens this further without requiring a first visit.
- Certificate Transparency: All publicly trusted TLS certificates are logged in public append-only logs. Browsers and monitoring services can detect unauthorized certificates issued for a domain.
- VPN on untrusted networks: Encrypts traffic before it leaves the device, defeating local-network interception (ARP poisoning, rogue AP). Shifts trust to the VPN provider.
- Network segmentation and DAI: Dynamic ARP Inspection on managed switches prevents ARP poisoning on wired networks.
- Don't ignore TLS warnings: A certificate error on a site you trust is the most actionable MITM signal available to end users.
Frequently Asked Questions
Does a VPN protect against MITM attacks?
A VPN protects against local-network MITM (ARP poisoning, rogue Wi-Fi) by encrypting all traffic before it leaves your device. An intercepting attacker sees only encrypted tunnel traffic. However, a VPN shifts trust to the VPN provider — if they are compromised, they hold the MITM position. VPNs don't protect against MITM attacks targeting the server side of the connection.
How do I know if I'm being MITM'd?
Common indicators: unexpected TLS certificate warnings, certificate issuer changing to an unfamiliar CA (check by clicking the padlock), ARP table showing the same MAC for the gateway and another IP, DNS resolving domains to unexpected IPs. Browser certificate warnings are the most actionable signal — never click through them on sensitive sites.