Security Glossary

Man-in-the-Middle (MITM)

An attack where the adversary gets on-path between two parties (for example by ARP spoofing to become the gateway) and then eavesdrops, modifies, or downgrades traffic, as with SSL stripping.

Man-in-the-Middle (MITM) is an attack where the adversary secretly sits between two parties, relaying and potentially altering traffic while both endpoints believe they talk directly to each other. The core requirement is a position on the path: once traffic flows through the attacker, they can read, drop, or rewrite it.

A Full Attack: ARP Spoofing to SSL Strip

Consider a victim on the same LAN (coffee shop Wi-Fi, an office switch). One concrete chain gets the attacker from "same network" to "reading the victim's login".

Step 1: Become the gateway with ARP spoofing

ARP has no authentication. The attacker broadcasts forged ARP replies telling the victim that the router's IP now maps to the attacker's MAC, and telling the router that the victim's IP maps to the attacker's MAC. Both sides update their ARP caches and start sending frames to the attacker, who forwards them on so nothing looks broken.

# Poison both directions and forward traffic
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i wlan0 -t 192.168.1.50 192.168.1.1   # tell victim we are the router
arpspoof -i wlan0 -t 192.168.1.1 192.168.1.50   # tell router we are the victim

Step 2: Strip TLS on the way to the site

The victim usually reaches a site by typing example.com or following an http:// link, so the first request is plaintext HTTP. The attacker keeps HTTPS to the real server but serves the victim plain HTTP, rewriting every https:// link and redirect in the responses to http://. This is SSL stripping.

Victim  --HTTP-->  Attacker  --HTTPS-->  example.com
        <-HTTP---            <--HTTPS---
# Attacker downgrades 301/302 to https and rewrites <a href> targets

Step 3: What the victim sees

The page renders normally, but the address bar reads http://example.com with no padlock, and the login form posts credentials in cleartext straight to the attacker. The whole attack depends on the victim not noticing the missing https and lock icon.

Other Positions

  • Rogue Wi-Fi / evil twin: a fake access point puts the attacker on-path by default.
  • DNS spoofing: forged DNS answers point a name at attacker infrastructure.
  • BGP hijacking: route announcements pull internet-scale traffic through the attacker.

Defenses That Actually Stop This

  • HSTS with preload defeats SSL stripping. With Strict-Transport-Security, the browser refuses plain HTTP to that host for the max-age window, so the step-2 downgrade never happens. Preloading ships the rule in the browser so even the very first visit is HTTPS-only, closing the trust-on-first-use gap.
  • Strict certificate validation. A forged or attacker-signed certificate must fail name and chain checks. Clients that ignore validation errors (or users who click through warnings) hand the attacker the connection.
  • Certificate pinning in mobile and desktop clients rejects any chain that is not the expected one, even a valid CA-signed impostor.
  • A VPN only moves the trust boundary. It encrypts the local hop so LAN ARP spoofing sees nothing useful, but traffic still exits the VPN provider in cleartext toward the destination. You have replaced trust in the coffee shop with trust in the VPN operator, not removed the need for TLS.

See Also