In the final part of our series on the leading cybersecurity threats of 2022, we’re diving into man-in-the-middle attacks and the importance of communicating over secure channels. Learn how to keep personal and business data secure below.
What is a man-in-the-middle attack?
Simply put, any attack in which a third party positions themselves between two communicating parties and listens in on the shared information can be considered a man-in-the-middle attack. In other cases, the attacker will trick one or both parties into sharing sensitive data. The fake links included in phishing emails, for example, can also be considered a form of the attack. (The email content itself being the social engineering element.)
If we loop back to the analogy we’ve been using to describe cyber threats over the past weeks, then man-in-the-middle attacks are like old-fashioned wiretapping on phone lines. You call your bank to handle a transaction. A person listening in on your phone conversations now has all the information they need to duplicate these calls and steal money from your account.
However, in the digital world, the attacker has more options to alter the contents of the messages being sent. For example, a friend asks you to pick them up, but a third party changes the address in their message. When you arrive at the address you receive, your friend is nowhere to be seen. Only the attackers are waiting for you… Even if they don’t inject false information, they can still use the request to discern that you are not at home and break into your house while you’re away. These simple real-life parallels illustrate just how damaging man-in-the-middle attacks can be.
Defending against man-in-the-middle attacks
Encryption is everything when it comes to blocking man-in-the-middle attacks. Using HTTPS over HTTP online is a great step in safeguarding against the simplest forms of such attacks. In HTTPS, communication between your device and the server is protected with TLS encryption. (Learn more about the different forms of encryption from our previous blog.)
Lately, however, some malicious actors have resorted to using cross-protocol attacks. These attacks exploit vulnerabilities in the standards that allow different internet protocols such as HTTP and FTP to communicate, allowing attackers to pose as the intended recipient of encrypted data.
One possible defense against such cross-protocol attacks is using the HTTP strict transfer security (HSTS) setting on websites. HSTS must be added to a websites’ code by its developer. It forces a browser to enforce HTTPS encrypted communication in all future connections to the website and blocks connections to versions of the site with an unrecognized certificate.
Let’s look at an example: you visit a website without adding the protocol (http:// or https://) to the address. Depending on your browser and settings, your browser will default to either an HTTP or an encrypted HTTPS connection. If it uses HTTP, the site you are trying to access will likely then initiate a redirect to the encrypted protocol. The HSTS header then informs your browser that every future attempt to open the site should use HTTPS and block your browser from making unencrypted connections. Should your browser not recognize the certificate the next time you open the site, it will block the connection. Furthermore, unlike in other cases of unrecognized certificates, it will not allow you to circumvent the security measure. (This can only be achieved by removing the site from your browser’s HSTS list). Your browser simply considers the site compromised until offered a verified certificate.
On the user side, configuring your browser to default to HTTPS connections is a must-have element of defending against man-in-the-middle attacks. Most mainstream browsers (Chrome, Firefox, Safari, and Edge) now enable this setting by default. However, users of other browsers should confirm the setting or consider installing the HTTPS Everywhere plugin if available.
Virtual private networks (VPNs) can provide an added layer of security and privacy. In a business setting, employees working remotely should be required to use a VPN on their company devices when accessing enterprise data remotely. Even private individuals can benefit from a VPN; however, they should avoid free services and only trust those with no-logging policies proven in court or by independent third-party audits.
Finally, as always, running an up-to-date firewall and a robust anti-malware solution on your device is critical. These can help mitigate man-in-the-middle attacks that aim to infect your device with viruses or other malicious code.
Can end-to-end encryption help?
Protection from man-in-the-middle attacks is one of the key benefits of the technology. In fact, it’s not much of a stretch to say it’s one of many things it was made for. When content is end-to-end encrypted, it is the encrypted file that is protected with TLS (the encryption protocol used by HTTPS) for transfer. As a result, even if an attacker were to create a cross-protocol attack, all they would be able to access is the encrypted file. Thus, the information contained within the file remains safe.
For the attacker to decrypt the file, they would have to compromise the private key of your intended recipient. While this is theoretically possible, the complexity of such an attack and the hardware resources it requires are beyond current technical capabilities if key management is handled correctly and securely.
This is why secure file sharing through Tresorit is so safe. Only you and your intended recipient will be able to open your files, no one else, not even us. Protect share links with passwords (sent on non-digital channels) to protect one-off shares or set up shared folders for long-term collaboration. Learn more about our file-sharing solutions and protect your business from digital snoops.
To help companies and individuals alike protect their data and the data they are entrusted with, we launched a series of blogs on Data Protection Day (or Privacy Day for our friends in the US) to discuss the major cybersecurity, and by extension, data security, threats of 2022. Read through our previous articles to learn more, and check back over the coming weeks for more info about:
- Back to basics – defining security, privacy, information security, and data protection in 2022;
- social engineering (phishing, smishing) is always becoming more sophisticated;
- ransomware is going nowhere in 2022, but cyber security tunnel vision is also a threat;
- and how DDOS attacks are simple to carry out and extremely damaging.
We’re exploring the tech behind each threat, what companies and individuals alike can do to counter them, and where end-to-end encryption can help. Watch this space.