Request a Demo

What is Man-in-the-Middle Attack?

A man-in-the-middle attack is carried out by hackers to insert their presence in between the communication of two parties to gain access to all the information sent to and from both the parties. The hacker can stop the users from sending and receiving data, or might even divert and redirect the messages to another user. The main objective of Man-in-the-Middle attack is to eavesdrop the users’ conversation, masking their presence, making it appear so normal as if there is no third person involved in the communication.

The key role of the hackers - to perform a Man-in-the-Middle attack is to steal user login credentials, financial details, credit card numbers and so.

Man in the Middle Attack

The data extracted by the hackers during the attack could be used for identity theft, i.e. to steal the person’s data and use the same for applying for a credit card by the actual users’ name, to perform unauthorized fund transfers or illegal change of passwords.

Key Concepts of a Man-in-the-Middle Attack

A Man-in-the-Middle Attack is an eavesdropping attack, hand-held by the hacker himself to interfere with a communication session between the system and the people.

This type of attack helps attackers to use the real-time processing of the user’s conversations, transactions or exchange of other data.

MITM Attack Progression

A Man-in-the-Middle attack has to go through two different phases

  • Interception
  • Decryption


In the initial step, the user traffic is stopped through the attacker’s network even before it reaches the required destination.

The ideal way for hackers is to exploit the user’s system when they get connected to free public WiFi hotspots which are not password protected. So when the target victim gets connected to the public hotspot, the hacker from the other end gains access to the actual data exchange.

Interception can be one of the following attacks

IP Spoofing: This is a method, through which the attackers conceal themselves to look like an application by modifying the packet files in an IP address. This helps the hackers to extract user’s information when the user tries to access the URL connected to the malicious URL.

ARP Spoofing: This is a type of attack through which the hacker sends fake Address Resolution Protocol (ARP) messages through a local network, This is done when the hacker links the malicious MAC address with IP address of the user’s server and computer on the network. Once connected, the hacker automatically starts receiving data that goes in and out of the specific IP address. ARP spoofing entitles the hackers to even alter or intercept data-in-transit. ARP spoofing attacks are most common in local area networks that implement Address Resolution Protocol.

DNS Spoofing: This is also referred to as DNS cache poisoning that introduces corrupt Domain Name System data into DNS server to modify the record of a website’s address. This diverts the users to the attacker’s site.


Once the interception is achieved, the SSL traffic has to be decrypted without the user’s attention and also without interfering the normal operations of the application. This phase is called decryption and there is a number of procedures that the hackers have developed to get this done:

HTTPS Spoofing – This helps hackers to send fake certificates to the user’s browsers once the connection is made. It holds a signature in correspondence to the infected application and it surpasses the validation done by the browser by verifying with the standards of trusted sites. Through this way, the hacker gets access to the user’s data even before it reaches the application.

SSL Hijacking – Hackers copy fake authentication keys to user and application during the process of TCP handshake to take control of the complete session while the user assumes it to be a secure connection.

SSL BEAST - Hackers target the TLS version 1.0 vulnerability. The hacker infects the system through malicious JavaScript to block encrypted cookies that are sent from the application to the user.

SSL Stripping – converts an existing HTTPS connection to HTTP by interrupting the TLS authentication sent to the user from the application. An unencrypted version of the application’s website is sent to the user while a secure session is maintained with the application. In the meantime, the complete session of the user is visible to the attacker.


Man in the Middle Attacks can be prevented by integrating verification techniques for applications alongside effective encryption

Methods to prevent Man in the Middle Attacks

For Individual Users

Refrain from connecting to public Wi-Fi hotspots that are not password protected

Pay close attention to any alerts or warning messages that the website is insecure.

It is advisable to log out of any application when not in use.

When the user is connected to a public network, it is advisable not to perform any sensitive financial transactions.

For Website Operators

Implementing the use of TLS and HTTPS would provide effective encryption and authentication of transmitted data to protect the website from Man-in-the-Middle attacks. This effectively obstructs the decryption of confidential data like authentication keys.

It is healthy to implement the use of SSL/TLS to protect each and every page of the website and not just the pages that involve users’ information. There is a higher chance of the hacker to extract session cookies when the user is browsing on a session that is insecure when logged in.

How Do You Prevent HTTP Interception?

What are SSL/TLS Certificates

Implement the use of an SSL/TLS certificate to stimulate HTTPS protocol which is the secure version of HTTP. An HTTPS protocol encrypts the connection between the browser and the server. This mitigates hacking attempts and protects the user’s information from inquisitive hackers.

There are different types of SSL certificates that provide different levels of protection. TLS Certificates can merge the identity of domain name and the organization when you choose to use an (Organization Validated) or EV (Extended Validation) level certificates. EV SSL Certificates displays the information about the Organization’s identity in the Address Bar. By doing so the EV SSL Certificate can enhance the user’s trust on the organization’s website for its legitimacy.

Systems and Server Configurations

Implementing SSL/TLS is not just enough, ensure that the website does not have any page aspects running on an HTTP protocol to help you leave a backdoor for aspiring hackers. Ensure that all hyperlinks that are a part of the website, use HTTPS protocol.

It is critical to check if the configuration of the server is done right, corresponding to the standards and best practices for algorithms, protocols etc. For instance, check if TLS 1.1 and 1.2 is enabled and SSL2, TLS1, and SSL3 are disabled.

Implement Comodo SecureBox to protect data even on a malware infected website. SecureBox uses an effective method to secure users’ application data from hackers. It runs the sessions inside virtual containers. This keeps the application safe and secure even on infected endpoints.

Comodo SecureBox is efficient to deny Man-in-the-middle attack with the following robust features

Application Containerization is an OS-based visualization technique that creates a threat resistant tunnel between the web clients and the web servers to ensure that the communication or the transactions between the customers and the services and vice versa are secured from threats.

Keylogger Protection: Comodo SecureBox features a smart technique that works on artificial intelligence called keyboard visualization technology. The Keyboard Filter Driver allows you to block any suspicious single keys or even key combinations. It delivers protection as it encrypts the information and sends it directly to the destined window in a unique pattern.

Remote Takeover Protection: Comodo SecureBox is equipped with screen capture detection technology. It fights effectively against a remote desktop takeover by obstructing any malicious attempt. This is done by switching from default screen to isolated virtual screen; it also displays warning messages and denies hackers to view anything on the user’s desktop.

Anti-Sniffing: When a potential malicious connection is trying to get established, Comodo SecureBox intercepts to verify if the certificates use Comodo’s trusted root certificate list, to strictly encounter man-in-the-middle attacks.

Anti-Memory Scrapping: Comodo SecureBox restricts third-party applications from accessing the memory of containerized applications.

Instant Virus Removal: Comodo SecureBox ensures a cloud-based scan of any application even before the user opens the same; this is done to stop or remove any active viruses on the host device