HTTPS: Man-in-the-Middle Attacks

TL;DR

Yes, a man-in-the-middle (MITM) can see *some* of an HTTPS conversation if the certificate isn’t properly validated. Modern browsers are very good at preventing this, but vulnerabilities exist in older systems or with user mistakes (like ignoring security warnings). Properly configured HTTPS protects against eavesdropping and tampering.

What is a Man-in-the-Middle Attack?

Imagine Alice wants to talk securely to Bob. Normally, they agree on a secret code beforehand. A MITM attack happens when Eve secretly intercepts their messages, pretending to be Bob to Alice and Alice to Bob. Eve can then read (and sometimes change) the conversation.

How HTTPS Protects Us

HTTPS uses certificates to verify that you’re actually talking to who you think you are. These certificates act like digital IDs. When your browser connects to a website using HTTPS, it checks this ID.

Why an MITM Can Still Hear (Sometimes)

Here’s how a MITM can still intercept data even with HTTPS:

1. Invalid Certificates

1. Self-Signed Certificates: These aren’t trusted by browsers because they haven’t been verified by a recognised authority. Browsers will show a warning, and if the user ignores it and proceeds anyway, the MITM can intercept traffic.
2. Expired Certificates: If a certificate has expired, your browser should warn you. Ignoring this warning opens you up to attack.
3. Incorrect Hostname: The certificate must match the website address (hostname) you’re visiting. A mismatch indicates something is wrong.

If any of these happen and a user proceeds despite the warnings, the MITM can present its own fake certificate.

2. Weak Cipher Suites

HTTPS uses encryption algorithms (cipher suites) to scramble data. Older or weaker cipher suites are easier to break. A MITM might downgrade the connection to use a vulnerable cipher suite if it’s allowed.

3. SSL Stripping

SSL stripping is an attack where the MITM intercepts HTTPS requests and redirects them to HTTP (unencrypted) versions of the site. This allows the attacker to see all traffic in plain text. Modern browsers are increasingly resistant to this, especially with HSTS.

How to Protect Yourself

1. Always Check for HTTPS: Look for the padlock icon in your browser’s address bar.
2. Pay Attention to Warnings: Never ignore security warnings about invalid certificates.
3. Keep Your Browser Updated: Updates include important security fixes.
4. Use HSTS (HTTP Strict Transport Security): This forces your browser to always use HTTPS for a specific website, preventing SSL stripping attacks. Websites need to enable this on their server.
5. Be Careful on Public Wi-Fi: Avoid sensitive transactions on unsecured public networks. Use a VPN if you must.

Technical Details (for advanced users)

MITM attacks often involve:

• ARP Spoofing: Redirects network traffic to the attacker’s machine.
• DNS Poisoning: Alters DNS records to point to a malicious server.
• Proxy Servers: The MITM acts as an intermediary, intercepting and potentially modifying traffic.

Tools like Wireshark can be used to capture network traffic (legally, with permission!).

tcpdump -i eth0 -nn port 80 or port 443

(This captures HTTP and HTTPS traffic on the ‘eth0’ interface.)

cyber security Best Practices

• Certificate Pinning: Hardcodes expected certificates into an application, preventing MITM attacks with rogue certificates.
• Mutual TLS (mTLS): Requires both client and server to authenticate using certificates.