3 Effective Ways to Defend Against a Man-in-the-Middle Attack (MITM)

man-in-the-middle attack

The terminology man-in-the-middle attack (MITM) in internet security, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).

Since a man-in-the-middle attack (MITM) can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other, the 2 crucial points in defending against MITM are authentication and encryption. A number of cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, SSL can authenticate one or both parties using a mutually trusted certification authority. However, SSL is still not supported by many websites yet. So to make your online surfing in a public network free of interception, you should take some action yourself. There are 3 effective ways to defend against a man-in-the-middle attack even without SSL. These methods are able to encrypt the data traffic between you and the server you are connecting to, and also include some kind of end-point authentication.

Method 1. VPN

Virtual-Private-Network

The most common used for a secure connection is Virtual Private Network (VPN). A VPN extends a private network across a public network, e.g., the Internet. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols or traffic encryptions, such as PPTP (Point-to-point Tunneling Protocal) or Internet Protocol Security (IPSec).

To take the advantage of VPN, you should have a remote VPN server set up & configured, you can do it yourself or just employ some reliable VPN service such as HideMyAss, and once have it, you can follow the steps below to establish a safe point-to-point connection with it. All data transmission is encrypted so that even if being intercepted, the attacker will have no idea about the content of the traffic.
#1 Click “Control Panel” in the startup menu.
#2 In Control Panel, select “Netword and Internet”.
#3 Click “Network and Sharing Center”.
#4 Click “Setup a new connection or network”.
#5 In the “Setup a new connection or network” dialog, select “Connect to a workplace” and then press “Next”.
#6 In the “Connect to a Workplace” dialog, click “Use my Internet connection (VPN)”.
#7 Input the IP address of the VPN server and press “Next”.
#8 Input your username and password, then press “Create”.
#9 Click “Connect Now”.

Tips: As a transfer station, the safty & reliability of the VPN server is very crucial to the security of your whole communication system. So, we advise you to only choose a host in a secure network as you VPN server. As for VPN services, HideMyAss is the top one that we personally recommend, you can find more about HMA here.

Method 2. Proxy Server with Data Encryption

The 2nd technique is utilizing a reliable proxy server and encrypt the transmission between you and the proxy. Some privacy software like Hide My IP provides proxy servers and option of encryption.

EncryptedConnection

#1 Download HideMyIp from here, after installation, double-click to launch the program.
#2 In the main interface, click “Advanced Settings…”.
#3 In the “Advanced Settings & Options” dialog, check the option “Encrypt My Connection with SSL”, which means your data traffic to the sites you are visiting will be always encrypted, like a https connection.
#4 Select a server you want to connect to, and then press “Hide My IP”.

Tips: For more detailed and illustrated steps about how to defend against a man-in-the-middle attack, please follow our Wikihow article “How to Deal with a Man in the Middle Attack“.

Method 3. Secure Shell Tunneling

secure shell tunneling

The 3rd trick is to make use of Secure Shell(SSH), which is a network protocol for remote administration of UNIX/LINUX hosts. SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports and X11 connections; A Secure Shell (SSH) tunnel consists of an encrypted tunnel created through an SSH protocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel.

SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user, if necessary.

#1 Download Bitvise SSH Client from here. http://www.bitvise.com/ssh-client-download after installation, double-click the shortcut to launch the program.
#2 Select the “Services” tab in the main interface, in the SOCKS/HTTP Proxy Forwarding Section, check to Enable forwarding feature, then fill in the IP address of Listen Interface, 127.0.0.1, which means the localhost. Listen Port could be an arbitary number ranging from 1 to 65535, but to avoid conflicts with the well-known port, a port number between 1024 and 65535 is suggested here.
#3 Switch to the “Login” tab, fill in the information of the remote server & your account, then click the “Login” button below.
#4 When connect to a server for the first time, a dialog containing the MD5 fingerprint of the remote server will popup, you should check the fingerprint carefully to authenticate the real identity of the SSH server. You can get the real MD5 fingerpirnt of the server from your host administrator or using Linux command ssh-keygen -lf file.
#5 Open a browser (e. g Firefox), open menu, then click “Options”.
#6 Select “Advanced” in “Options” Dialog, click “Network” tab, then click “Settings…”.
#7 In the “Connection Settings” dialog, select “Manual Proxy Configuration” option, choose the proxy type “SOCKS v5”, and fill in the IP address and port number of the proxy server, then press “OK”. Since we are running SOCKS proxy forwarding using Bitvise SSH client in the same computer, the IP address should be 127.0.0.1 or localhost, and the port number must be the same as we set in #2.

Tips: For more detailed and illustrated steps about how to defend against a man-in-the-middle attack, please follow our Wikihow article “How to Deal with a Man in the Middle Attack“.