Stay Away from the Man in the Middle

When you were a kid, presuming that you have indeed grown up, did you ever play the game “Man in the Middle”? That is where two players play a game of catch with a large ball, but they must throw it over the head of a third player in the middle. The player in the middle wins the game if they can intercept the ball.

In network security, a “Man in the Middle Attack” refers to a hacker that is able to insert themselves into the middle of communication between a client system and a server system. He tricks the client into thinking that he is the server and the server into thinking he is the client. If the hacker is successful he wins and the targets of attack lose. Depending on how nefarious the attacker is, they could lose big time.

Man in the Middle (MIM) attacks can be used to monitor network traffic to steal valuable data or security credentials such as IDs and passwords. It can be used to generate a denial of service attack that slows or halts network communication. It can be used to redirect a web site visitor to a fake site as part of a criminal scheme. It can be used to intercept files and email. It can be used to infect the client and the server with a virus.

For example, a user goes to their bank’s web site to do some online banking. However, a man in the middle attack redirects him to a fake web site that looks just like the bank’s. The hacker captures the user’s login and account information. He can process the user’s transactions so they do not know anything is wrong, until they find their account raided later by the hacker.

Web communication is a particular concern because the hypertext transfer protocol (HTTP) uses ASCII text messages transferred asynchronously. HTTP does not establish a continuous connection required for security. With http, it is relatively simple for a hacker to intercept, read and modify messages. Before the internet could be commercialized in 1994, there needed to be a way to create secure connections with encrypted messages.

Netscape created that way with the Secure Socket Layer (SSL) protocol which works in conjunction with HTTP to provide secured, encrypted connections on the internet. I would never provide personal information on a web site unless I see https on the address line! However, the encryption strategy used by SSL can leave an opening for a MIM attack. The browser sends a message to the web server to start the process and the server responds with the information to create the secured connection in a file called a certificate. It includes a value called a “key” that the browser needs to encrypt its messages for the server. If a hacker can create a MIM process, it can substitute its own key for the web server’s. It can then read and edit the browser’s messages. It can do the same with the server’s messages.

Now, here is the really scary part. Tutorials on how to create a MIM are all over the internet, including YouTube videos. If that isn’t enough, there are tools available on the web that will automate and simplify the process of creating a MIM. How can the powers that be allow that to happen? Besides a little thing called the First Amendment, there are legitimate uses for MIM. Companies are allowed to monitor employee use of company resources. They use MIM to watch what employees are doing and to read their emails. Sounds a little creepy, but employees often abuse their privileges and employers have a right to know.

Fortunately, another feature was built in to SSL to deal with this problem. An SSL certificate includes a field for a “signature”. The signature is the name of a party that has verified that the certificate originates from the site it is attempting to communicate with. A MIM process can still succeed if the certificate has been revoked or is “self signed”. A self-signed certificate is signed by the site itself.

However, if the certificate is signed by a 3rd party called a Certificate Authority (CA) the browser has assurance that the certificate is in fact issued to the site owner.

Problem solved? Partially, but there is one more thing to consider.

There are different levels of assurance provided by a CA. For important transactions, particularly financial transactions, you want your site users assured that you are a legitimate ongoing operation. To that, you should obtain an Enhanced Validation (EV) SSL the highest level of assurance provided.

With EV from Comodo, you and all of a web site’s visitors can keep an eye out for the “Man in the Middle”!.