Online Dangers

Man-In-The-Middle Attacks: What Are They and How to Guard Against Them?

Janis von Bleichert
Last update
2. Dec 2022

Maybe you've wondered what could happen if you sent sensitive information over the Internet and someone read it over your figurative shoulder. While you might have written this notion off as silly, you shouldn't, since such attacks actually take place with alarming frequency. Unauthorized third parties place themselves between their victim and the Internet, digitally eavesdropping on how the two communicate with one another in what is known as a man-in-the-middle (MITM) attack.

Below, we'll fill you in on what man-in-the-middle attacks are, how they're carried out, and what you can do to protect yourself.

What Are Man in the Middle Attacks?

A man-in-the-middle attack occurs when online communication channels are tapped into and monitored without the victim realizing it. They get their name from the intermediary role that the attacker assumes, namely, between the victim's computer or device and a specific online resource they're trying to access, such as a website. Through these, attackers can siphon off sensitive information like usernames and passwords. Such attacks are made possible owing to security gaps or weaknesses in how the victim's device communicates with the Internet.

Generally, MITM attacks can be broken down into two phases: First, data is captured, and then it is decrypted.

In order to 'catch' your data, the attacker needs to convince both parties (for example, your computer, and the server of the website that you're attempting to access) that you're directly communicating with one another. Of course, since the attacker is in between you, they need to make it seem that they're not. Decryption is needed to make the data that's captured, such as net banking credentials, actually usable.

Types of Man in the Middle Attacks

There are a number of weak points that cybercriminals can exploit to execute different types of MITM attacks. Often, spoofing will play a role. This is a kind of manipulation in which something is presented differently than what it actually is.

Below, we've summarized the various kinds of MITM attacks:

  • DNS Spoofing
    The Domain Name System (DNS) converts domain names into IP addresses so that browser can load the requested Internet resources (websites). This process goes faster if the domain name has already been translated and is stored in the browser's cache. MITM attackers use this cache when engaging in DNS spoofing to gain access to the DNS server and modify a website's address entry.

  • HTTPS Spoofing
    HTTPS is a communication protocol that guarantees the safety of data transfers between browsers and servers. When HTTPS is spoofed, attackers use fake security certificates which are accepted by browsers. During these attacks, even though you and your computer think the website you're visiting is secure, it actually isn't, allowing hackers to decrypt your data.

  • IP Spoofing
    With this, hackers change the IP address of a website in order to direct traffic somewhere else. Users think that they are on a legitimate website when in reality, hackers are following their every move.

  • ARP Spoofing
    Address Resolution Protocols are responsible for resolving MAC addresses on local networks. If spoofed, hackers can connect a user's IP address to a spoofed MAC address, allowing them to catch any data which the former sends.

  • Rogue Access Point
    Access points allow devices to connect to wireless networks. Rogue access points, on the other hand, are malicious, appearing legitimate, but actually monitoring all data traffic.

  • Session hijacking
    Hijacking is usually associated with airplanes and is a federal crime in the United States. Session hijacking is just as dangerous, in that a MITM attacker locks real users out of a web session (such as logging in to an application) by stealing the legitimate user's session token. In this way, hackers can access and use your account as though they were you, siphoning off as much sensitive information as they like.

Unfortunately, the above is just a selection of the most prevalent kinds of man-in-the-middle attacks, and there are plenty of others. For example, hackers can install malware in your web browser (referred to as a man-in-the-browser attack). Similarly, emails can be intercepted in order to monitor how you interact with your bank.

As such, the sky is the limit when it comes to methods and exploits, making it almost impossible to guard against all of them. For that reason, the more important question is how to recognize and prevent MITM attacks.

How to Recognize a Man in the Middle Attack?

Unfortunately, it can be very difficult to recognize a man-in-the-middle attack when it's ongoing. Still, some indications include:

  • Disrupted connections & long loading times: A possible indicator that a man-in-the-middle attack is occurring is multiple disruptions in your Internet connection. Longer load times can also be a red flag. Of course, these can just mean that the network you've connected to is having issues, or that the ISP is performing maintenance work.
  • Loss of HTTPS Encryption: Whenever an HTTPS address in your browser changes to an unencrypted HTTP one, there's a strong possibility that a MITM attack is underway.

Don't expect to be able to identify a MITM attack as it's ongoing. Instead, invest your efforts in prevention and minimizing risk, since there's a lot you can do.

9 Ways to Protect Against Man in the Middle Attacks

Bad news first: There's no such thing as 100% protection against malicious middlemen, as a determined and skilled cyber criminal will always find a way to undermine even the most formidable digital defenses. Still, there are a number of steps you can take to make yourself as hard a target as possible. Most hackers look for 'easy' marks and won't waste their time on tougher opponents. Accordingly, we identified 9 measures you can take to counter the threat of MITM attacks.


Pay Attention to a Website's Encryption

Websites that lack adequate encryption are particularly susceptible to MITM attacks. Specifically, we're talking about HTTP connections that don't have Secure Socket Layer (SSL) encryption.

For that reason, make sure that you only visit HTTPS websites. Your browser will usually alert you when visiting unencrypted websites anyways.

HTTPS websites are secured with SSL certificates.


Safe Routers

Powerful and up-to-date encryption is also important on routers. For these, WiFi Protected Access (WPA) has become the standard. Along with ensuring that your router has adequate encryption, you should also check that its firmware is current and that your router's login data and WiFi password are changed regularly.


Be Cautious on Public WiFi

Whether in a Starbucks or at the airport: Lots of MITM attacks are orchestrated on public WiFi since these lack the protection afforded by home or corporate networks. When connected to a publicly accessible network, exercise extra caution (especially when visiting unencrypted HTTP websites). To enhance your defenses, you can use software like VPNs, but more on these below.


Say No to Email Phishing

This one doesn't only prevent MITM attacks, but all sorts of nasty cyber surprises: Don't open suspicious emails, and if you do, definitely do NOT click on or download any links or attachments. The same goes for messages that look like they might have come from your bank, favorite online marketplace, or social media network asking you to submit your login details or other sensitive information. Supposing that you have an account with one of these services, they already know your password, birthday, and so on. What's more, such services will never ask you to supply such information via email or over the phone.


Pay Attention to Your Passwords

The more accounts you have, the more passwords you'll need. To make these as effective as possible, there are a few important rules to keep in mind:

  1. 1.
    Create secure passwords. These should be at least eight characters long and include numbers and special characters.
  2. 2.
    Don't recycle passwords. Each account you have requires its own unique password. In this way, you prevent password thieves from using the same password to gain access to other accounts associated with your email address.
  3. 3.
    Regularly change your passwords.

If you have lots of accounts, it might feel impossible to guarantee adequate security for all of your passwords without some help. Password managers don't only remember all of your passwords for you, giving you access to them with one master password, they'll also let you know when your passwords should be changed, and help to create new ones.


Activate Multi-Factor Authentication

Two-factor authentication, also known as multi-factor authentication is a measure that provides your accounts with added security. With it, a password isn't enough to gain access to your accounts, as a second factor (such as clicking on a link in an email or inputting a code from an authenticator app) is needed.

This complicates matters for data thieves, as they need to also have access to the second factor in order to pry open your account.


Communicate Through Encrypted Channels

Whether email, video (i.e. Zoom or Google Meet), or just chatting (WhatsApp, Signal, etc.), make sure your online communications are always end-to-end encrypted. This guarantees that your messages arrive encrypted to your recipient, and only they can decrypt them. No one - whether admins on the platform you're using or malicious hackers - can sneak a peek while these are in transit.


Use a Firewall and Antivirus Software

Having a firewall and the right antivirus program up and running enhances your protection against all sorts of cyber attacks, including man-in-the-middle ones. Make sure that your antivirus software and its definitions are up to date since clever cyber criminals are always stepping up their game.


Use a Reliable VPN

Virtual private network (VPN) services are also intermediaries, but the good kind. These route your data traffic to remote servers, masking your IP address, and encrypting your connection in the process. This minimizes direct contact between your device and the Internet and comes in particularly handy when using public WiFi.

VPN services like NordVPN automatically encrypt your Internet connection.

However, make sure that you only use legitimate VPN services, since you're putting your data in their hands. Unfortunately, there do exist lots of questionable (free) VPN services which can (and likely do) keep tabs on what their users are up to. This makes them just like man-in-the-middle attackers. For this reason, stick with reputable providers that regularly submit to independent security audits.

In our VPN comparison, we put a wide variety of VPN services to the test. Reviews and more can be found in the VPN section of our site:


Man-in-the-middle attacks are highly dangerous and difficult to notice. Cybercriminals disguise themselves as reputable intermediaries, siphoning off sensitive data, such as passwords, that your system is transmitting to a trusted web resource. Pulling these off is possible owing to the weak points in digital infrastructure and different areas that can be probed, such as DNS, IP, or HTTPS spoofing, to say nothing of the assistance malware can provide.

Noticing a man-in-the-middle attack while it's being executed is difficult. For that reason, it's smarter to proactively adopt security practices that will reduce the likelihood of these enjoying any success against you. When surfing, make sure you do so with HTTPS encryption, and if on public WiFi, exercise added caution.

You aren't alone though, as a number of useful tools exist that can enhance your security. For maximum password security, there's no way around a password manager; antivirus programs and firewalls can boost your digital defenses; and if you find yourself often on public WiFi, you might want to invest in a reliable VPN.


How does a man in the middle attack work?

Man-in-the-middle (MITM) attacks see the perpetrator position themselves between your system and the Internet resource you're attempting to communicate with. They disguise themselves so that they can siphon off sensitive data, such as passwords, that you might transmit to the (legitimate) Web service. The exact disguise they use depends on which communication weakness they're exploiting. As a result, there are lots of different types of MITM attacks, the most common of which are DNS spoofing, HTTPS spoofing, IP spoofing, Rogue Access Points, or session hijacking.

How can I recognize a MITM attack?

Identifying a MITM attack is difficult. Should the attacker be relying on DNS spoofing, you might notice odd-looking or incorrect URLs (such as instead of HTTPS URLs that suddenly transform into HTTP URLs are another likely indicator of a MITM attack. Beyond that, unexpected connectivity issues and slower loading times can point to a MITM attack (but also, plenty of other, technical issues).

How can I prevent a MITM attack?

As with all cybersecurity, there's no such thing as 100% protection. To reduce the likelihood of falling prey to a MITM attack (and boost your digital security overall), there are a number of proactive measures you can take. Surf only when HTTPS encryption is offered, exercise added caution when on public WiFi, and don't open suspicious emails or those from people you don't know. To help out, you can also enlist the services of password managers, VPNs, and antivirus software.

Janis von Bleichert studied business informatics at the TU Munich and computer science at the TU Berlin, Germany. He has been self-employed since 2006 and is the founder of He writes about hosting, software and IT security.
Continue Reading
Other languages