What Is a Man-in-the-Middle Attack? Types, Examples, and Prevention

Learn what a man-in-the-middle attack is, how it works, and how to prevent it with strong authentication.

Learn how man-in-the-middle attacks work and how certificate-based authentication prevents them.
Key Points
  • MITM is a common cyber threat where an attacker secretly intercepts and relays communications between two parties, often by creating a rogue access point to exploit the channel.
  • EAP-TLS is the most effective protocol for eliminating MITM attacks because it uses mutual certificate validation between the client and server, removing the need to send vulnerable credentials over the air.
  • SecureW2’s Managed PKI simplifies certificate deployment across all devices, automates 802.1X onboarding, ensuring full protection against MITM attacks while reducing admin workload.

A man-in-the-middle attack, or MITM attack, is a cyberattack where an adversary secretly intercepts and potentially alters communications between two parties who believe they are talking directly to each other. The attacker positions themselves between a user and a server — or between two devices on a network — to eavesdrop on sensitive data like login credentials, session tokens, and financial information.

MITM attacks are one of the oldest forms of cyberattack, but they remain a persistent threat to enterprise networks, especially those that rely on password-based authentication for Wi-Fi and VPN access. Understanding how these attacks work is the first step toward man in the middle attack prevention.

We’ll talk about the different types of man in the middle attack and how to prevent man in the middle attack. We’ll also include a man in the middle attack example.

How Does a Man-in-the-Middle Attack Work?

A man-in-the-middle attack unfolds in two stages: interception and decryption.

Interception

The attacker first gains a position between the victim and the intended destination. On a local network, this can happen through ARP spoofing, DNS poisoning, or a rogue Wi-Fi access point. On the internet, an attacker might compromise a router, exploit a vulnerable proxy, or use BGP hijacking to redirect traffic.

Once in position, the attacker can passively monitor all data flowing between the two parties — or actively modify it in transit.

Decryption

If the intercepted traffic is encrypted (via TLS, for example), the attacker needs to decrypt it before it becomes useful. Common decryption techniques include SSL stripping (downgrading HTTPS connections to HTTP), presenting a forged certificate to the victim, or exploiting weaknesses in older protocols like SSLv3.

The attacker’s goal is to make the victim believe the connection is secure while reading every packet in plaintext.

Common Types of Man-in-the-Middle Attacks

MITM attacks vary by technique and target. Here are the most common types security teams encounter.

ARP Spoofing

Address Resolution Protocol (ARP) maps IP addresses to MAC addresses on a local network. In an ARP spoofing attack, the adversary sends forged ARP messages to associate their MAC address with the IP address of a legitimate host, typically the default gateway. All traffic intended for the gateway then flows through the attacker’s machine.

ARP has no built-in authentication mechanism, which makes this attack straightforward on any LAN that lacks protections like Dynamic ARP Inspection (DAI).

DNS Spoofing

DNS spoofing, also called DNS cache poisoning, corrupts the DNS resolver cache so that a domain name resolves to an attacker-controlled IP address. When a user types a legitimate URL, their browser loads a fraudulent site instead. The fake site may look identical to the real one, tricking the user into entering credentials that go straight to the attacker.

Organizations can mitigate DNS spoofing by deploying DNSSEC (DNS Security Extensions) and using encrypted DNS protocols like DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT).

Rogue Access Points and Evil Twin Attacks

A rogue access point is an unauthorized Wi-Fi access point connected to a corporate network. An evil twin attack takes this further: the attacker broadcasts an SSID that matches a legitimate network (e.g., “CorpWiFi”) with a stronger signal. Nearby devices auto-connect to the fake AP, and the attacker captures all traffic — including authentication credentials sent over protocols like PEAP-MSCHAPv2.

This attack type is particularly dangerous in enterprise environments where devices are configured to auto-connect to known SSIDs. Without mutual certificate validation, the device has no way to verify it is connecting to a legitimate access point.

SSL Stripping

SSL stripping intercepts the initial HTTP request before it is redirected to HTTPS and forces the connection to remain unencrypted. The attacker proxies the session, maintaining an HTTPS connection to the server while serving plain HTTP to the victim. The victim sees no padlock icon but may not notice, especially on mobile devices.

HSTS (HTTP Strict Transport Security) preload lists reduce the effectiveness of this attack by instructing browsers to always use HTTPS for specific domains.

Session Hijacking

In session hijacking, the attacker steals a valid session token (typically stored in a browser cookie) after the user has already authenticated. With that token, the attacker impersonates the legitimate user without needing their password. Common methods include packet sniffing on unencrypted networks, cross-site scripting (XSS), and malware.

IP Spoofing

IP spoofing involves creating IP packets with a forged source address to impersonate a trusted host. This can be used to bypass IP-based access controls, redirect responses to an attacker-controlled machine, or amplify denial-of-service attacks.

HTTPS Spoofing

In HTTPS spoofing, the attacker presents a fraudulent TLS certificate to the victim’s browser, often using homograph techniques and substituting lookalike Unicode characters in the domain name (e.g., replacing a Latin “a” with a Cyrillic “a”). If the victim accepts the certificate warning or the browser fails to flag it, the attacker decrypts the session in full.

Man-in-the-Browser Attacks

A man-in-the-browser (MitB) attack uses malware — typically a trojan — embedded in the victim’s browser. The malware intercepts and modifies web transactions in real time, even over HTTPS. Because the attack happens inside the browser after decryption, standard network-layer protections do not catch it. Endpoint detection and response (EDR) tools and browser integrity checks are the primary defense.

Real-World Man-in-the-Middle Attack Examples

MITM attacks are not theoretical. Several high-profile incidents demonstrate their impact.

DigiNotar (2011): A Dutch certificate authority was compromised, and attackers issued fraudulent TLS certificates for Google, Yahoo, and other major domains. Iranian users were targeted with MITM attacks that intercepted their Gmail traffic. DigiNotar went bankrupt within months.

Equifax (2017): Attackers exploited a vulnerability in the Equifax web application framework and used MITM techniques to intercept traffic containing personal data of 147 million people, including Social Security numbers and credit card details.

Kazakhstan government (2019-2020): The Kazakh government attempted to mandate the installation of a government-issued root certificate on all citizen devices. This would have enabled state-level MITM interception of all HTTPS traffic. Browser vendors blocked the certificate.

Superfish / Lenovo (2015): Lenovo shipped laptops with pre-installed adware called Superfish that installed its own root certificate and intercepted all HTTPS connections to inject ads. This broke TLS trust for every user, making them vulnerable to any attacker who obtained the Superfish private key — which was quickly extracted and published.

These incidents share a common thread: compromised or misused certificates undermine the trust model that protects encrypted communications.

How To Prevent Man-in-the-Middle Attacks

Preventing MITM attacks requires a layered approach that addresses network security, encryption, authentication, and endpoint protection.

Enforce HTTPS and HSTS Everywhere

Ensure all web-facing services use TLS 1.2 or higher. Deploy HSTS headers with preload to prevent SSL stripping. Use certificate transparency logs to detect unauthorized certificates issued for your domains.

Use a VPN for Remote Access

A VPN encrypts traffic between remote users and the corporate network, preventing interception on untrusted networks like public Wi-Fi. Pair VPN access with certificate-based authentication rather than passwords to eliminate the credential theft risk.

Deploy DNSSEC and Encrypted DNS

DNSSEC validates DNS responses to prevent cache poisoning. Encrypted DNS (DoH or DoT) prevents on-path attackers from observing or modifying DNS queries in transit.

Segment and Monitor the Network

Network segmentation limits the blast radius of an ARP spoofing or rogue AP attack. Deploy Dynamic ARP Inspection, enable 802.1X port-based access control, and use a wireless intrusion prevention system (WIPS) to detect rogue access points.

Replace Passwords with Certificate-Based Authentication

This is the most effective defense against MITM attacks on enterprise Wi-Fi and VPN networks — and the one most organizations overlook.

Password-based protocols like PEAP-MSCHAPv2 send hashed credentials over the air during authentication. An attacker operating a rogue access point or evil twin can capture these hashes, crack them offline, and gain full network access. PEAP-MSCHAPv2 has been considered broken since 2012, yet many enterprises still rely on it.

EAP-TLS with mutual certificate validation eliminates this attack vector entirely. Here’s why:

  1. No credentials over the air. EAP-TLS authenticates using X.509 digital certificates, not passwords. There is nothing for the attacker to intercept or crack.
  2. Mutual authentication. Both the client device and the RADIUS server present certificates to each other. The device verifies the server’s certificate against a trusted Certificate Authority (CA) before sending any data. A rogue access point cannot produce a valid server certificate, so the device refuses to connect.
  3. Non-exportable keys. When certificates are bound to device hardware (TPM or Secure Enclave), the private key cannot be extracted or cloned — even if the device is compromised.

This is where most prevention guides stop. They recommend “use certificates” without addressing the operational burden that has historically made PKI adoption difficult. Manually issuing, distributing, and renewing certificates across thousands of devices is complex — and it is the reason many IT teams default to passwords despite knowing the risk.

How SecureW2 Stops MITM Attacks on Enterprise Networks

SecureW2 removes the operational barriers to certificate-based authentication so IT teams can deploy EAP-TLS without the infrastructure pain.

JoinNow Dynamic PKI is a cloud-native managed PKI that issues X.509 certificates to every device on your network — managed and BYOD alike. There are no on-prem CA servers to maintain, no complex Group Policy configurations, and no manual certificate distribution.

JoinNow Cloud RADIUS performs real-time identity lookups against your Identity Provider (Entra ID, Okta, Google Workspace) on every authentication. If a user is disabled or a device falls out of compliance, access is revoked immediately — not at the next password rotation.

JoinNow MultiOS provides self-service BYOD onboarding that provisions certificates on any device (Windows, macOS, iOS, Android, ChromeOS) in a few clicks. End users configure 802.1X themselves without submitting a help desk ticket.

The result: every device on your network authenticates with a certificate, every connection uses mutual TLS validation, and MITM attacks against your Wi-Fi or VPN become technically impossible.

Partnering with SecureW2 to Stop MITM Attacks with Certificate-Based Authentication

Man-in-the-middle attacks exploit a fundamental weakness: password-based authentication puts interceptable credentials on the wire. As long as your network relies on passwords for Wi-Fi or VPN access, attackers with a rogue access point or ARP spoofing tool can capture and reuse those credentials.

Certificate-based authentication with EAP-TLS eliminates this risk. SecureW2 makes it operationally simple to deploy — managed PKI, cloud RADIUS, and self-service onboarding for every device on your network.

Talk to our team about eliminating MITM risk on your network.


Frequently Asked Questions

What is the difference between a man-in-the-middle attack and phishing?

Phishing tricks a user into voluntarily providing credentials through a deceptive email or website. A man-in-the-middle attack intercepts credentials (or other data) in transit between two parties without the user taking any deliberate action. Some attacks combine both — an evil twin access point, for example, intercepts traffic while also presenting a fake captive portal to phish credentials.

Can HTTPS prevent man-in-the-middle attacks?

HTTPS with a valid TLS certificate prevents most MITM attacks on web traffic by encrypting the connection and authenticating the server. However, HTTPS does not protect against all MITM scenarios. SSL stripping can downgrade the connection before encryption begins, compromised certificate authorities can issue fraudulent certs, and HTTPS does nothing to protect non-web protocols like Wi-Fi authentication (802.1X).

How do you detect a man-in-the-middle attack?

Detection is difficult because MITM attacks are designed to be invisible. Signs include unexpected certificate warnings in the browser, unusual network latency, duplicate MAC addresses on the network (indicating ARP spoofing), and DNS responses that resolve to unexpected IP addresses. Network monitoring tools, intrusion detection systems (IDS), and certificate transparency logs can help surface these anomalies.

Why is certificate-based authentication the strongest defense against MITM?

Certificate-based authentication (EAP-TLS) eliminates the two things MITM attackers exploit: interceptable credentials and one-sided trust. Passwords can be captured and replayed. Certificates use asymmetric cryptography — the private key never leaves the device. Mutual authentication means the client verifies the server's identity before transmitting data. Together, these properties make it mathematically infeasible for an attacker to impersonate either side of the connection.

Are man-in-the-middle attacks common?

Yes. IBM X-Force reports that MITM techniques appear in a significant portion of network-based attacks. They are especially common on public Wi-Fi networks, in enterprise environments using password-based Wi-Fi authentication, and in targeted attacks against high-value individuals. The risk increases as more organizations support remote work and BYOD without upgrading their authentication infrastructure.