Man-in-the-middle attacks are difficult to protect against. The attack happens outside of the victim's controlled environment, and when executed properly, doesn't leave an obvious signature that alert the victims involved. MITM is typically the first step of a more sinister attack such as SSL strip. One common way to protect against MITM is ensuring websites use SSL/TLS 3.0. In other words, make sure the websites are accessed using HTTPS or HTTP secure connections. Verifying HTTPS is not as easy as looking for a little green address bar with a lock symbol, because attackers can serve victims certificates to make it appear like the session is secure.
To properly test a HTTP session, examine the certificate and look at the certificate authority. This additional effort discourages many users from verifying a secured session, which makes this attack method very effective.
The previous screenshot shows a SSL certificate for Gmail was issued by the Google Internet Authority. This sounds great, but who is the Google Internet Authority? Can I trust them? Is it really Google? In this example, I have another certificate authority shown above the Google Internet Authority named Equifax Secure Certificate Authority. Equifax has a number of checks and balances before issuing a certificate to ensure a business is valid. Verifying that Equifax generated this certificate makes me feel confident I can trust this certificate.
Ultimately, HTTPS relies on the concept of trust. To be more explicit, the question comes down to trusting the certificate authority that issued the certificate is valid and legitimate. For lab environments, it is common to find self-signed certificates that trigger alarms from most popular Internet browsers. That annoying popup that users complain about when accessing websites serves as a means to warn that the certificate authority is likely not trustworthy, and there is a risk of a MITM attack.
Encrypted Virtual Private Network (VPN) is another way of protecting against man-in-the-middle attacks. By encrypting all data sent to and from your device while masking your public Internet Protocol (IP) address, encrypted VPNs ensure that you're on a network that cannot be monitored or recorded by anyone except the VPN provider.
VPNs can use strong authentication methods, such as two-factor authentication, which includes a username and password, along with some other forms of authentication, such as OTP (one-time passwords), tokens, or certificates. This makes it difficult for an attacker to steal the authentication required to establish a VPN used by another user.
VPNs have the ability to use encryption methods, such as PPTP, L2TP, SSL, and IPSEC. SSL and IPSEC VPNs provide higher-level security for guarding data compared to other protocols because of their use of strong cryptographic encryption protocols.
Tip
VPNs are provided by both private and public organizations. It is possible that the VPN provider may be able to examine your traffic, because they are the trusted service providers. Therefore, the question of trust is still a very important concept when using a VPN. You must ask if you trust your VPN provider to protect your data and privacy. Your data security is in the service provider's hands.
Other techniques that can be used to defend against MITM attacks are Media Access Control Security (MACsec) and 802.1x. These approaches use advanced networking to provide source authentication, data integrity, and encryption as traffic travels across the network. Both approaches require equipment compatibility and must be enabled properly in order to be effective.
SSL strip (covered in Chapter 3, Server Side Attacks, allows attackers to strip or tear away the encrypted portion of a website and view the victim's Internet session, including confidential information. It is common to link SSL strip with another attack, such as a man-in-the-middle, meaning hackers will capture all traffic and strip away SSL encryption so everything is visible to the hacker's traffic sniffing tools. We covered this concept in Chapter 5, Attacking Authentication, of this textbook.
To protect against SSL strip attacks, it is important to understand how SSL strip exploits a victim. The attack takes advantage of websites redirecting users from a non-encrypted version of the site, to an encrypted version of the site. When you navigate to http://www.facebook.com or http://www.gmail.com, you will notice you are redirected to https://www.facebook.com and https://www.gmail.com. SSL strip breaks the redirection and forces the victim to use the non-secure version of the website. Furthermore, even if the site does not have a non-secure version, but still has a redirect, SSL strip will intercept the HTTP request and forward the user to HTTPS site. When a victim does this, the attacker can view the victim's entire session.
One method to protect against SSL strip attacks is to ensure that websites do not have a non-secure version of itself and that they do not implement redirect features. This would prevent a SSLstrip attack, because there is no redirection possibility. When a victim is attacked, they will simply not be able to get to a website. We understand from a real world implementation standpoint that this is very difficult to enforce. People are used to typing a non-secure HTTP request and being automatically redirected when security is needed. Also, many businesses would not want users thinking their website is down due to not accessing a secure version of the website. So the best protection from SSL strip is educating users on how cyber attacks occur so they can identify them.
In addition, the defense methods we outlined earlier against man-in-the middle will also defend against SSL strip attacks. The reason for this is SSL strip relies on a man-in-the-middle attack to occur.