How To Protect Yourself From Man-In-Middle Attacks

One of the biggest threats to privacy is the Man-in-the-Middle attack. Using current web browsers, it is possible to know for certain if your browsing is private at an increasing number of web sites. Sometimes you can even know for certain that despite the lock and https protocol, your communication is not private!

Your web browser performs significant checks before giving any indication that your browsing is private. First, it ensures that there is a third party (the “authority”) who has shared a secret with the owners of the URL. Nobody else ever knows that secret. Second, it confirms that the web server knows that secret. After these two tests, it knows that the authority does indeed know that the web server belongs to the URL, and that encrypted communication is private.

The key weakness in this scheme is that the browser has to trust the authority. There are many authorities, and anyone with access to your computer, including programs you download, can update that list. Once an attacker is listed as an authority, they can make your browser believe that any computer they control is any web server they choose.

Can I know if it’s truly private?

Current web browsers will attempt to identify the web site as an Extended Validation (EV) site. To do so, the browser validates the certificate using only its own built-in list of “factory-approved” authorities, and also ascertains that the authority in question took specific rigorous steps to confirm the identity of the owner of the website.

In addition to the normal indicators of privacy, an EV site is usually heralded by turning the address bar green or inserting the company name in green letters at the beginning of it. EV is your assurance that the secret was shared with a legitimate authority, and that your web browser is communicating securely with the web server you intended.

Conversely, if a specific site is EV on one computer and not on another, you know that communications on the second computer are not private.

So green is guaranteed privacy?

There are other threats, such as key loggers or Man-In-the-Browser attacks which are beyond the scope of this discussion. Even with that said, EV designation itself might not mean what it should.

Microsoft describes how to make intranet sites appear as EV sites when viewed using IE – without the need for the EV process or even an independent authority. One must conclude that IE is designed to give EV indications to non-EV sites under certain conditions. In time, hackers may learn to leverage this to impersonate EV internet sites.

What to Do

Choose a respected open-source web browser. The programming for browsers such as Mozilla Firefox can be reviewed by any interested party, and independent experts analyze the code for defects and agenda. Chromium is also open-source, so its semi-open derivatives (notably Google Chrome and Comodo Dragon) merit additional trust in this regard.

If you prefer the closed-source model, choose a browser without accompanying documentation describing how to mislead the user.

In a corporate environment, use tools such as BrowseControl and AccessPatrol to forestall the insertion of false authorities and prevent communication with illegitimate parties.

Do your sensitive online transactions with organizations which have attained EV status. For example, if your bank does not have an EV website, switch to one that does.

Sai Kit Chu
Sai Kit Chu
Sai Kit Chu is a Product Manager with CurrentWare. He enjoys helping businesses improve their employee productivity & data loss prevention efforts through the deployment of the CurrentWare solutions.