What is "Man-in-the-Middle"?
A Man-in-the-Middle attack requires the attacker to place himself between two communicating parties and relaying messages for them, while the parties believe they are communicating with each other directly and securely. The attacker can then monitor and possibly change the contents of messages. MitM concept is not limited to computer security, similar attacks have existed in physical world long before computers.
MitM attacks on computer network
Performing a MitM attack on computer networks usually requires two distinct steps: intercepting the raw data and, when present, circumventing encryption and authentication. MitM attacks exist for many communication protocols. This article focuses on attacks against web traffic.
Methods of interception
There are two possible general locations for data interception on internet. An attacker can either intercept traffic close to endpoints or can use different methods to redirect the data to pass through a node he controls.
Intercepting data at the endpoints involves installing software directly on communicating device or listening in on the local Wifi or cable network.
Redirection of data can be accomplished at different levels. On local networks IPv4 ARP spoofing, ipv6 router advertisement or automatic proxy discovery can be exploited. At the internet level DNS spoofing is widely used to point legitimate hostnames to fake servers. Ultimately, redirection of data on massive scale that affects whole internet is possible by BGP misdirection.
Attacks on authentication
The HTTPS protocol uses server certificates to enable clients to authenticate the servers they connect to. Server certificates are distributed by Certificate Authorities (CA). CA's are well-known and trusted organizations that take measures to make sure they hand out certificates to legitimate entities. Without server certificates it would be trivial for interception device to decrypt received data, modify it, re-encrypt with its own key and pass along to the other end.
Root certificates for number of major CA's are included in the browser by default and they can be used to verify authenticity of according server certificates. Only the certificates distributed by those CA's, and the ones explicitly added by user, are trusted by browser. Other certificates typically rise some sort of alarm and block access. The attacker aims to avoid this alarm or to convince naive user to ignore it.
The alarm could be avoided by using a stolen CA private key to sign fake server certificate as in the 2011 DigiNotar case. However, CA private keys are very securely guarded and this is rare. An easier approach consists in converting data from https protocol to http en route, as with the SSLStrip tool. Certificates are not checked for http connection. The resulting page may have a green favicon visually similar to browser "secure connection sign" added to it, to make browser address bar look trustworthy. Lastly, users can often be manipulated to ignore security warnings and continue regardless by just instructing them to do so in a convincing manner.
If the client device itself has been compromised, possibilities for the attacker are unlimited. Owners must protect their device integrity for any additional mitigation to be meaningful
In all other cases it is most important to make sure that encryption and proper certificates are used whenever possible. Enforcing restrictive corporate or user policies on operating system and web browser is the easiest way to increase security. However, regardless how restrictive the policies, a big part of responsibility will still always fall on the user. Therefore, educating users for safe network use and to recognize signs of MitM attacks is the most effective way to avoid them.
Possible legitimate use
MitM technique is sometimes used in data loss prevention (DLP) systems that make sure that no information can go out through perimeter without being inspected in unencrypted form. In such cases users should be made clearly aware of the interception and its legality.