Definitions[]
A man-in-the-middle attack (MITM, MitM, MIM, MiM and MITMA)
| “ | occurs when an attacker collects personal information through the interception of a user's message that are intended to be sent to a legitimate site. | ” |
| “ | [is] [a]ctively impersonating multiple legitimate parties, such as appearing as a client to an access point and appearing as an access point to a client. Allows attacker to intercept communications between an access point and a client, thereby obtaining authentication credentials and data.[1] | ” |
| “ | [is] [a]n attack on the authentication protocol run in which the attacker positions himself in between the claimant and verifier so that he can intercept and alter data traveling between them.[2] | ” |
| “ | [a] form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association.[3] | ” |
Overview[]
Examples of man-in-the-middle attacks include:
- A session hijacking attack, in which information is received from a user and passed through to the legitimate site until the desired authentication and/or transaction initiation has been performed, whereupon the session is hijacked;
- A hostname lookup attack ("pharming"), in which a website at the expected host name, but with the wrong IP address, relays data from the user to the legitimate site and vice-versa, to provide verisimilitude and delay detection; and
- A web proxy attack, in which a malicious web proxy receives all web traffic from a compromised computer and relays it to a legitimate site, collecting credentials and other confidential information in the process.
Man-in-the-middle attacks are difficult for a user to detect, because a legitimate site can appear to work properly, and there may be no external indication that anything is wrong.
Normally, SSL web traffic will not be vulnerable to a man-in-the-middle attack. The handshake used by SSL ensures that the session is established with the party named in the server’s certificate, and that an external attacker cannot obtain the session key; and SSL traffic is encrypted using the session key so it cannot be decoded by an eavesdropper. Proxies normally have provisions for tunneling such encrypted traffic without being able to access its contents. However, browsers and other standard software applications generally silently accept cryptographic certificates from trusted certificate authorities, and crimeware can modify a system configuration to install a new trusted certificate authority. Having done so, a proxying intermediary can create its own certificates in the name of any SSL-protected site. These certificates, since they are coming from a “trusted” certificate authority due to the system reconfiguration, will be unconditionally accepted by the local software. The intermediary is therefore able to decrypt the traffic and extract confidential information, and re-encrypt the traffic to communicate with the other side. In practice, however, most man-in-the-middle attacks simply do not use SSL, since users do not generally check for its presence.
Man-in-the-middle attacks can compromise authentication credentials other than passwords, such as one-time or time-varying passcodes generated by hardware devices. Such stolen credentials can be used by an attacker for authentication as long as they remain valid.
Security[]
A man-in-the-middle attack (also called bucket-brigade attack or sometimes Janus attack) is one in which the attacker intercepts messages in a public key exchange and then retransmits them, substituting his or her own public key for the requested one, so that the two original parties still appear to be communicating with each other directly.