Man-in-the-Middle Attack (MITMA) is an attack designed to intercept communications between two parties and the breech remains unguessable. For example, Github is the Provider and You are the User; both computers’ are connected with each other either via Web Login or Command Line Tool. A Third Party, if somehow understand that your computer has security loophole (like it is Windows computer with no latest antivirus); the Third Party can push codes with malware faking as you (you have no idea that what is going on).
The most common channel is a connection to the Internet of the average user. The attacker must first be able to observe and intercept messages from one victim to another. The Man-in-the-Middle Attack (MITMA) is particularly applicable in certain protocols. It is unlikely to happen with GitHub as Secured Socket Layer (SSL) is used and the Authentication is Key Based. It can happen if there is an instance of Session Hijack.
To emulate and just check the how much precaution is taken from the server-side, one can :
- Create a Server Instance on Rackspace Cloud
- SSH to the Server without adding the Key at Control Panel
- Rebuild the Server from Control Panel
- Try to login again via SSH
Instantly, warning for being a possible Man-in-the-Middle Attack will float on the Command Line. This False Positive message of possible Man-in-the-Middle Attack situation happens as the Key from the User Side will not match.
Basics of Man-in-the-Middle Attack
One of the major problems take place when two people want to exchange encrypted data to ensure that they alone should know the secret information, the matching must be able to exchange the confidential key too. In the context of symmetric cryptography, it is necessary to have a secure channel which itself requires a key. In the context of asymmetric cryptography, it has been partly solved. The two individuals each have their public key (used to encrypt) and private key (which is used to decrypt). Thus, only the public keys are exchanged, which does not require a secure channel. Even if someone managed to intercept and read these public keys, if they decrypt, it would be of no use assuming that the encryption algorithm is cryptographically secure. Read about Encryption and Decryption to understand the basics.
Although the examples are given with Internet, this is most common in unencrypted Wireless Connections in Consumer Grade Electronics. The Man-in-the-Middle Attack adds the additional condition that the attacker has the ability to not only read, but also the ability to change the messages. In this case, even asymmetric encryption is vulnerable.
However, it is generally very difficult to change all the messages that pass. The goal of the attacker is to impersonate one (or) perform corresponding, using, for example :
- ARP Spoofing: This is probably the most common case. If one of the parties and the attacker is on the same local network, it is possible, even relatively easy for an attacker to force communications to pass through his/her computer pretending to be a “relay” (router , gateway). It is then relatively simple to modify these communications;
- DNS Poisoning: The attacker alters the server (s) DNS to redirect without their knowledge; the traffic analysis is required in order to view any unencrypted transmissions;
- Distributed denial of service : for example, the attacker can block all the communications before attacking the party. The computer can can no longer reply and the attacker has the ability to relay own message.
Man-in-the-Middle Attack : Types of attacks
Man-in-the-Middle Attack situation can be achieved for example in the following ways:
- Attacker is in the same LAN and has the has physical access to the data lines
- In Ethernet , the attacker modifies the ARP table of the victim systems and thereby directs all the traffic. This is even possible with cable network operators and for example at public Wi-Fi hotspots.
- The attacker depends on the same network bus as the victim (only in certain situations)
- The attacker has control over a router through which the traffic is funneled
- By manipulating the host file on the computer of the person attacked can fake despite entering the real URL IP addresses are resolved
SSH provides a way to fingerprint (“fingerprint”) after the first login (“login”) to check whether you have actually reached the target computer. In other word, the example with false positive message with Rackspace is the result of the mistake – the key was not added to the Rackspace Control Panel by the user. Protection against MITM attacks also offers the so-called Integrity Protection, as used in UMTS.