What a Man-in-the-Middle Attack Looks Like -- Identifying MITM

Everyone knows that governments and criminals around the world are breaking into computers and stealing data. But no one really knows if they are actually a target of an attack. Sometimes your internet just "messes up" and you wonder why a page rendered strangely, or why portions of a page don't load, or where these strange cryptic errors are coming from.

The most common attack vectors for advanced attackers are the Man-in-the-Middle and Man-on-the-Side attacks. For the purposes of this article i'm going to cover the MITM attack.

When you browse the internet or use an internet enabled service, your data flows from you to your internet provider, and then is routed around through multiple services before it reaches it's destination, the server that is hosting your information.

A man-in-the-middle sits on any position between your computer and that server, and they listen for your data. Your data gets tampered with by the man in the middle so that they can either listen in on your conversation or they'll try to inject data into your connection in order to gain access to your browser or app that is trying to move data, or even compromise the entire device.

HTTPS is supposed to prevent this type of attack, because it uses "Secure Sockets" to verify that the server sending your data is definitely the person you intend to be talking to, and not someone trying to wiretap you or hack your device. The real world implementation of this concept is called the Certificate Authority system (often called the CA).

The Certificate Authority System

Every secure website needs a certificate to present to the browser to tell the browser who it is and begin a secure connection. The internet is managed by trust. You have so called "root CAs" which are certificates that are used by supposedly trusted parties that can be used to create the certificates that you use.

So what you do as an administrator, is you go to one of these entities that is a certificate authority, and file an application for your website or service. The CA then reviews your application and issues you a certificate. You configure your server to present this certificate, and then when users visit your site or service a secure connection can be established with your verified identity.

The Problem with the CA System

Browsers and huge swaths of software do not check if a certificate that is being presented to them actually matches what it should be seeing. It checks if the certificate came from one of the root CAs, and then sets up the connection without any further scrutiny into whether the site should be trusted.

Over time, the number of CAs has increased, and parties that should not be trusted with the power of a certificate authority have been trusted by devices, browsers, and software. With more Certificate Authorities out there, you have more entities to attack to try to steal a root CA, and more opportunities for a CA to willingly issue bad certificates. The short explanation is, more CAs more problems.

What a MITM Attack Looks Like on a Hardened Browser.

In our Firefox Hardening Guide, the final step is to remove the root CAs from the trusted list that do not belong to websites that you routinely visit. The idea here is that you are reducing your attack surface, because blindly trusting less CAs means that it is far less likely that an attacker is going to present a certificate that your browser will take. This means that when an attacker tries to redirect your internet traffic to a malicious server, it is far less likely that your browser is going to accept the certificate, and it will throw a big ugly error.

Above you see the SEC_ERROR_UNKNOWN_ISSUER error in hardened Firefox. Here some outside entity saw my request going to Technet, and tried to establish a connection with my PC to either listen in on what I was looking at, or more likely to attack my browser and try to gain control of my device. Because I didn't trust the Certificate Authority the attacker used, the browser rejected the certificate and refused the malicious data.

Another Attack Vector - Pushing Fake "Updates"


Here we have the console of an Ubuntu Linux server that is checking for updates. When the server checks the list of updates to be pushed against what it should be receiving, they don't match. This means that someone attempted to push fake updates to the server in order to compromise its security.

These attacks do exist in the real world and being vigilant is the only way to protect yourself. Make sure that your VPN provider takes security far more seriously that just installing updates and hand-waving security concerns. Paranoid governments want that data, and they will try to get it.


< last
next >