nordpass logo

All You Need to Know About Man-In-the-Middle Attacks

Chad Hammond

A man-in-the-middle attack is where an attacker secretly intercepts online communication between two people.

The two people think they’re communicating privately and securely, when in fact, attackers station themselves in between and secretly change the messages being sent.

This analogy works in both a literal and an abstract sense.

Sometimes, when we talk about communication or a communication, we refer to computer conversations. For example, when you visit a website, a communication takes place between the user and the website (often referred to as a server). During this rapid-fire conversation, a few things happen:

Both parties are acknowledged (known as a handshake) and verified by a third-party certificate (e.g., TLS certificate). This is known as mutual authentication – the green padlock in your browser implies an encrypted connection.

If both ends of the conversation are authenticated (end-to-end authentication), in theory, the connection is considered secure, thereby eliminating the risk of an MITM attack.

But what if the certificate authority itself is attacked?

Sometimes the default behavior of most certificates is to authenticate the server only, making it super easy for an attacker to fake their way in from the other end.

Fake certificates are rife online, and it just goes to show the exceptional creativity of attackers in choosing their point of interception.

And that little green padlock symbol? Think twice before counting on it. There’s no telling how good a site’s certificate is or whether it authenticates both ends, so you could still have your details stealthily stolen.

In 2011, the Dutch certificate authority DigiNotar became a victim of fraudulent certificates, used to break down the security walls of a site, with customers being none the wiser.

More recently, on September 21, 2017, Equifax found that users were being redirected to a fake phishing site, another result of an MITM attack. In this instance, the attacker was able to change the domain name to from That’s what happens when a company uses a domain with zero trust attached to it.

The good news is, the fake site was created by Nick Sweeting – a developer with only sweet intentions.

In general, MITM attackers gain access by abusing trust certificates and server keys:

A server key is a computer that works with online encryption.

It provides a special set of keys used to unlock the identity certificate.

Server key abuse key abuse – an attacker can:

  1. Generate a new server key and break their way in; the problem is, most people unwittingly accept ‘invalid SSL certificate’ notifications.

  2. Steal the server key by penetrating the server earlier, purchasing it from cybercriminals, or accessing it from equipment that wasn’t wiped properly.

  3. Duplicate certificates from trusted certificate authorities that websites use.

MITM attacks also rely on unencrypted Wi-Fi

Connecting to unencrypted Wi-Fi can leave you especially open to attacks.

Unencrypted connections include:

  • Public Wi-Fi & Hotspots

  • A wireless router that isn’t protected by a VPN

  • HTTPS sites

  • HTTP sites that don’t have end-to-end encryption (more on this later)

Technically, there are two stages:

  1. Interception – the chosen point of attack

  2. Decryption – the technique used to attack encryption

An attacker must be able to impersonate each endpoint brilliantly enough to convince either party that they’re only speaking to each other.

It’s better understood in real MITM scenarios:

Spear phishing

A targeted form of phishing. Instead of sending out trap emails in bulk to hundreds of victims the attacker gathers intimate details about a single person and strikes with one blow.

On a larger scale, scammers have used spear phishing to walk away with millions. 4 years ago, Ubiquiti Networks wired $40 million straight into an attacker’s bank account. All the scammer had to do was send a spoof email from a board member to the finance department requesting a money transfer.

A victim is far more likely to click on personalized bait when it appears as though it’s coming from their boss or close friend, for example. If an attacker spoofs your online banking page, it becomes even easier to steal your data – since it’s a complete copy of the real thing. In the example above, attackers probably spent weeks spying on their communications, to make the transfer request seem legit when they tried their luck.


A classic MITM. The simple act of an attacker spying and sometimes even altering private communications. Imagine Jack sends his bank details to Ben over public Wi-Fi (this detail is important, because it’s unencrypted). During the milliseconds that Jack’s bank details are in transit, attackers intercept and steal their bounty.

Replacing a cryptocurrency wallet

This is a double bluff ransomware attack. The attacker weighs in on the hard work of another criminal by intercepting the middle of their ransom deal. Just as a ransom is being paid into the account of a criminal, another criminal quickly replaces it with their own cryptocurrency wallet – making the already dire situation both anonymous and traceless.


Does a VPN protect against man-in-the-middle attacks?

Using a VPN can prevent man-in-the-middle attacks. A VPN creates an extra layer of security that encrypts your data, making it iron-proof against attacks.

Does SSL prevent man in the middle attacks?

SSL or Secure Sockets Layer is a form of encryption that involves a certificate and corresponding key to ignite the encryption process.

An attacker would need to: a) be able to intercept the connection, b) receive the SSL certificate, and c) successfully decrypt the data.

To decrypt the data, an attacker would need both the certificate and the matching private key, which is owned by the server.

At this point, an attacker can either use a certificate that isn’t validated by a trusted certificate authority or forge one. A reputable web-browser will pick up on this mismatch and notify you - under no circumstances should you proceed.

If the attacker forges the certificate and provides their own public key, your browser should display warnings about an ‘invalid or expired SSL certificate.’

To summarise, prevention relies on using a trusted web-browser like Chrome, Safari, or Firefox. You can also prevent MITM attacks by only visiting trusted websites and securing your devices with an extra layer of encryption – we have a few to choose from.

Subscribe to NordPass news