An attack where the adversary gets on-path between two parties (for example by ARP spoofing to become the gateway) and then eavesdrops, modifies, or downgrades traffic, as with SSL stripping.
Man-in-the-Middle (MITM) is an attack where the adversary secretly sits between two parties, relaying and potentially altering traffic while both endpoints believe they talk directly to each other. The core requirement is a position on the path: once traffic flows through the attacker, they can read, drop, or rewrite it.
Consider a victim on the same LAN (coffee shop Wi-Fi, an office switch). One concrete chain gets the attacker from "same network" to "reading the victim's login".
ARP has no authentication. The attacker broadcasts forged ARP replies telling the victim that the router's IP now maps to the attacker's MAC, and telling the router that the victim's IP maps to the attacker's MAC. Both sides update their ARP caches and start sending frames to the attacker, who forwards them on so nothing looks broken.
# Poison both directions and forward traffic
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i wlan0 -t 192.168.1.50 192.168.1.1 # tell victim we are the router
arpspoof -i wlan0 -t 192.168.1.1 192.168.1.50 # tell router we are the victim
The victim usually reaches a site by typing example.com or following an http:// link, so the first request is plaintext HTTP. The attacker keeps HTTPS to the real server but serves the victim plain HTTP, rewriting every https:// link and redirect in the responses to http://. This is SSL stripping.
Victim --HTTP--> Attacker --HTTPS--> example.com
<-HTTP--- <--HTTPS---
# Attacker downgrades 301/302 to https and rewrites <a href> targets
The page renders normally, but the address bar reads http://example.com with no padlock, and the login form posts credentials in cleartext straight to the attacker. The whole attack depends on the victim not noticing the missing https and lock icon.
Strict-Transport-Security, the browser refuses plain HTTP to that host for the max-age window, so the step-2 downgrade never happens. Preloading ships the rule in the browser so even the very first visit is HTTPS-only, closing the trust-on-first-use gap.