What Is a Man-in-the-Middle Attack?
A Man-in-the-Middle (MITM) attack occurs when an attacker secretly intercepts and potentially alters the communication between two parties who believe they're communicating directly with each other. The attacker sits "in the middle" of the connection — receiving data from the victim, potentially reading or modifying it, and forwarding it to the actual destination (and vice versa) to avoid detection.
The defining characteristic of a MITM attack is invisibility. Unlike a brute-force attack or malware infection, a well-executed MITM may leave no obvious trace. Victims continue to use their devices normally; their sessions function as expected. Meanwhile, the attacker accumulates sensitive data: login credentials, session tokens, financial transactions, private messages, and business data.
MITM attacks target the trust relationships that underpin internet communications. They exploit the fact that most users don't verify cryptographic identities and that many networks lack mutual authentication. Public WiFi networks are particularly vulnerable — an attacker at a coffee shop can intercept traffic from everyone on the network without sophisticated equipment.
Common targets for MITM attacks include:
- Online banking and financial transactions
- Corporate VPN authentication credentials
- Email login sessions and inbox content
- API calls between microservices on internal networks
- Firmware update mechanisms for IoT devices
- SSL certificate exchange during TLS handshakes
Common MITM Attack Techniques
ARP Spoofing / ARP Poisoning is the most common LAN-based MITM technique. The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses on local networks with no authentication mechanism. An attacker sends forged ARP replies claiming that their MAC address corresponds to the gateway's IP address. All traffic destined for the internet is then sent to the attacker first. Tools like Ettercap and ARP-spoof automate this attack.
DNS Spoofing / Cache Poisoning corrupts the DNS cache on a resolver or victim machine to return a malicious IP for a legitimate domain. When the victim types "bank.example.com," they're silently redirected to the attacker's replica site. Combined with SSL stripping, users may not notice the connection is no longer secure. Run a DNS leak test to check whether your DNS queries are going where you expect.
SSL Stripping downgrades HTTPS connections to HTTP. When a user types a domain without "https://" the attacker intercepts the initial HTTP request, makes the HTTPS request to the real server themselves, and returns the decrypted content to the victim over plain HTTP. To users who don't check the padlock, the site looks normal. HTTP Strict Transport Security (HSTS) preloading in browsers is the primary defense.
Evil Twin / Rogue Access Points set up a WiFi access point with the same SSID as a legitimate network (hotel WiFi, airport WiFi, etc.). Devices configured to auto-connect to known networks join the rogue AP. All unencrypted traffic — and TLS traffic if the attacker can get victims to accept a fraudulent certificate — is captured.
BGP Hijacking is a large-scale MITM at the internet routing level. By injecting false BGP route announcements, an attacker can redirect traffic for entire IP prefixes through their network. This has been used to intercept cryptocurrency transactions and by nation-states for mass surveillance. WHOIS and BGP data can help identify whether an IP's routing has been hijacked.
Check Your Connection Security
Verify your DNS isn't leaking and your IP is properly protected with our free privacy tools
Hide My IP NowHow to Detect a MITM Attack
Detection is difficult because a competent attacker will maintain normal functionality to avoid arousing suspicion. However, several indicators can surface an active MITM attack.
Certificate warnings are the clearest signal. If your browser shows a certificate mismatch or an untrusted CA for a site you've visited before, stop immediately. Modern browsers use certificate pinning and Certificate Transparency logs to detect forged certificates for major sites — but smaller sites lack these protections.
Unexpected redirections to HTTP when you typed HTTPS, or subtle URL differences (bank.example.com vs. bank-example.com), suggest DNS or SSL-stripping attacks. Check the certificate details — the issuing CA should be a recognized authority, and the certificate's Subject Alternative Names should match the domain you intended to visit.
Network-level detection: on a local network, run ARP monitoring tools (arpwatch, XArp) that alert you to ARP table changes indicating potential spoofing. Check your public IP address and compare it to your ISP's expected address ranges — a BGP hijack might route your traffic through a foreign network. Unexpected latency increases or routing changes visible in traceroute output can also indicate traffic redirection.
Use a HTTP headers check to verify that servers are returning the security headers (HSTS, HSTS-preload) that prevent downgrade attacks.
Preventing MITM Attacks: A Practical Guide
Use HTTPS exclusively. The padlock icon means your connection is encrypted and the server's identity has been verified by a certificate authority. Install the HTTPS Everywhere browser extension or enable the native HTTPS-first mode in modern browsers. Never enter credentials or payment information on HTTP sites.
Verify certificate details for high-value sites (banking, email, corporate VPN). Browser developer tools show the full certificate chain. Major sites should use certificates issued by well-known CAs (DigiCert, Let's Encrypt, Sectigo). Pinned certificates or Certificate Transparency enforcement adds additional guarantees.
Use a reputable VPN on public networks. A VPN encrypts all traffic before it leaves your device, making ARP spoofing and evil twin attacks ineffective — the attacker intercepts an encrypted stream they can't read. Verify your VPN is functioning with a DNS leak test after connecting.
Enable two-factor authentication on all important accounts. Even if an attacker intercepts your password via MITM, they can't log in without your second factor. Time-based OTP (TOTP) apps are more resistant than SMS 2FA, which is vulnerable to SIM swapping attacks.
Implement DNSSEC on your domain to cryptographically sign DNS records, preventing spoofing. Use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to encrypt DNS queries and prevent resolver-level interception. Configure your router to use a DoH-capable resolver like Cloudflare 1.1.1.1 or NextDNS.
Frequently Asked Questions
Can MITM attacks occur on HTTPS connections?
HTTPS significantly raises the bar for MITM attacks, but doesn't make them impossible. Attackers with access to a trusted root certificate authority (e.g., corporate IT departments for internal monitoring, or nation-state actors who've compromised a CA) can issue valid certificates for any domain. Certificate Transparency logs and browser certificate pinning are designed to detect and prevent this.
Are MITM attacks common on home networks?
Less common than on public networks, but not impossible. Compromised home routers can perform MITM attacks on all connected devices. Router firmware vulnerabilities, weak admin passwords, and malicious DNS configuration are known vectors. Check your router's DNS settings and update firmware regularly. Run a <a href='/dns-leak-test'>DNS leak test</a> to verify your DNS isn't being intercepted.
Does a VPN prevent all MITM attacks?
A VPN prevents many MITM attacks by encrypting traffic end-to-end from your device to the VPN server. It defeats ARP spoofing, evil twin attacks, and local network interception. However, it doesn't protect against attacks on the VPN server itself, BGP hijacking of the VPN provider's IP space, or compromised certificate authorities. It's a critical layer but not a complete solution.
How does HTTPS protect against MITM?
HTTPS uses TLS to provide both encryption (preventing eavesdropping) and authentication (verifying the server's identity via a certificate signed by a trusted CA). If an attacker intercepts the connection and presents their own certificate, the browser checks it against the CA's signature and will reject it unless it's valid. This is why certificate warnings should never be ignored or bypassed.
