In my October 23 blog, I mentioned that iOS 4.3.4 was susceptible to a man-in-the-middle attack that was later corrected in iOS 4.3.5. These attacks are frequently mentioned in the security literature, but many of you may still be wondering what they are exactly and how they work. With this article, I’ll explain what man-in-the-middle attacks are and how you can avoid falling prey to them.
How the Attack Works
To see how man-in-the-middle attacks work, consider the illustration below. Network traffic normally travels directly between two computers that communicate with each other over the Internet, in this case the computers belonging to User 1 and User 2.
How to Avoid Being Attacked
In practice, ARP spoofing is difficult to prevent with the conventional security tools that come with your PC or Mac. However, you can make it difficult for people to view your network traffic by using encrypted network connections provided by HTTPS or VPN (virtual private network) technology.
HTTPS uses the secure sockets layer (SSL) capability in your browser to mask your web-based network traffic from prying eyes. VPN client software works in a similar fashion – some VPNs also use SSL – but you must connect to a VPN access point like your company network, if it supports VPN. To decrypt HTTPS and VPN, a man-in-the-middle attacker would have to obtain the keys used to encrypt the network traffic which is difficult, but not impossible to do.
When communicating over HTTPS, your web browser uses certificates to verify the identity of the servers you are connecting to. These certificates are verified by reputable third party authority companies like VeriSign.
If your browser does not recognize the authority of the certificate sent from a particular server, it will display a message indicating that the server’s certificate is not trusted, which means it may be coming from a man-in-the-middle-attacker. In this situation you should not proceed with the HTTPS session, unless you already know that the server can be trusted – like when you or the company you work for set up the server for employees only.
If you want to dive into the technical details and learn more about the tools used to carry out a man-in-middle attack, I recommend watching the YouTube video – Man In The Middle Attack – Ethical Hacking Example created by the InfoSec Institute.
In the meantime, use HTTPS and VPN in public networks and stay away from web servers you don’t trust.
I work for Trend Micro and the opinions expressed here are my own.
For more tips and advice regarding Internet, mobile security and more, just “Like” Trend Micro Fearless Web Facebook page!
