Man-in-the-Middle-Angriff (MitM)
An attack in which an attacker secretly inserts themselves between two communicating parties, intercepts the data traffic, and potentially manipulates it—without the sender or recipient noticing.
A man-in-the-middle (MitM) attack occurs when an attacker intercepts communication between two parties (e.g., a browser and a web server) without either party being aware of it. The attacker can not only read the messages but also manipulate them.
How a MitM attack works
- Without MitM: Alice communicates directly with Bob.
- With MitM: Alice ↔ [Attacker Eve] ↔ Bob - Alice thinks she is talking to Bob; Bob thinks he is talking to Alice; Eve reads and/or alters everything.
The fundamental problem: To Alice and Bob, the connection looks normal—unless cryptographic authentication verifies the other party’s identity.
Variants of MitM attacks
ARP spoofing / ARP poisoning
On the local network (LAN), forged ARP responses are sent that link the attacker’s MAC address to the router’s/gateway’s IP address. All packets now flow through the attacker.
Common in: Unsecured Wi-Fi networks (cafés, hotels, conferences)
HTTPS Downgrade / SSL Stripping
The attacker receives HTTPS connections from the server but forwards them to the victim as HTTP. The victim communicates unencrypted—the attacker sees everything in plain text.
Countermeasure: HSTS (HTTP Strict Transport Security)—browsers automatically reject HTTP if an HSTS header is present.
DNS Spoofing / DNS Cache Poisoning
Fake DNS responses redirect DNS queries to the attacker’s IP addresses:
bank.de→ attacker’s IP instead of the real bank’s IP- Victim lands on a deceptively real phishing site
Countermeasure: DNSSEC, DNS over HTTPS (DoH)
Rogue Access Point / Evil Twin
An attacker sets up a fake Wi-Fi network with the same name as a legitimate network (e.g., "Airport_Free_WiFi"). Devices connect automatically—the attacker controls all traffic.
Countermeasure: Always use a VPN on public Wi-Fi networks; implement Wi-Fi connection policies for corporate devices.
BGP Hijacking
At the network level: False BGP routes are advertised so that traffic is routed through the attacker’s networks. State actors and large ISPs can carry this out. Known incidents: Russia (2017), Iran (2010).
AiTM Phishing (Adversary-in-the-Middle)
Modern phishing kits (Evilginx2) act as reverse proxies: The attacker sits between the victim and the genuine website, intercepts credentials and MFA codes in real time, and steals the session cookie.
This attack completely bypasses TOTP MFA.
Why TLS/HTTPS Provides Protection (and Why Not Always)
TLS protects against classic MitM:
- Server certificate is signed by a trusted CA
- Browser verifies certificate: Does it match the domain? Is it from a known CA?
- The certificate cannot be forged without the CA’s private key
TLS does NOT provide protection if:
- A forged certificate was issued by a compromised CA
- The victim ignores a certificate warning (“Continue connection anyway”)
- In corporate proxies that perform SSL inspection (legitimate Man-in-the-Middle in a corporate context)
- Against AiTM phishing (victim communicates legitimately with a real server—but the attacker is a proxy)
Protective Measures
For enterprises:
- Enforce TLS 1.3 everywhere (disable TLS 1.0/1.1)
- Enable HSTS with
includeSubDomainsandpreload - HPKP was an attempt at certificate pinning (obsolete, too error-prone)
- Certificate Transparency Monitoring
- VPN for external connections from corporate devices
- DNSSEC and DNS monitoring
For employees:
- Never ignore certificate warnings
- Use public Wi-Fi only with a VPN
- Always verify the HTTPS connection and domain name
Phishing-resistant MFA (FIDO2): The only reliable protection against AiTM phishing—since the key is domain-bound and does not work on fake sites.
