Stack Overflow
Stack Overflow

Questions tagged [man-in-the-middle]

An attacker who interposes himself in the middle of a connection.

An attacker who interposes himself between a client and a server. He can perpetrate both passive (eavesdropping) and active (interjection or truncation) attacks. Secure protocols such as HTTPS can guard against these attacks when correctly implemented at all layers including the application layer.

215 questions
5
votes
1 answer

Why doesn't SSH use the interlock protocol?

It seems that the SSH designers cared a great deal about man in the middle attack. Their approach was, to save server's public key finger print at the first time you're connected to the server (and hope that the user doesn't connect from a poisoned…
Elazar Leibovich
  • 32,750
  • 33
  • 122
  • 169
5
votes
1 answer

HSTS bypass with sslstrip+ & dns2proxy

I am trying to understand how to bypass HSTS protection. I've read about tools by LeonardoNve ( https://github.com/LeonardoNve/sslstrip2 and https://github.com/LeonardoNve/dns2proxy ). But I quite don't get it. If the client is requesting for the…
Nikkolasg
  • 444
  • 4
  • 18
5
votes
1 answer

Does PHP's fopen() protect against typical attacks when accessing https resources?

If I use PHP's fopen() function to retrieve data from a HTTPS website, is that what one would call a secure HTTPS connection. i.e. Does it provide protection against man-in-the-middle and eavesdropping attacks?
Kenneth Poulsen
  • 929
  • 10
  • 25
4
votes
2 answers

How to exploit Diffie-hellman to perform a man in the middle attack

Im doing a project where Alice and Bob send each other messages using the Diffie-Hellman key-exchange. What is throwing me for a loop is how to incorporate the certificate they are using in this so i can obtain their secret messages. From what I…
jfisk
  • 6,125
  • 20
  • 77
  • 113
4
votes
1 answer

Man in the Middle attack in C with ping echo request

I'm implementing man in the middle attack in C. There are three docker containers: Host A (sender), Host B (receiver), and Host M (attacker). My objective is to ping from Host A to Host B but sniffing the echo request from A at M and then relay the…
3N4N
  • 570
  • 5
  • 21
4
votes
1 answer

Generate human-distinguishable picture based on string (or uuid)

Tl;Dr: I'm creating an application: end-to-end encrypted chat between two or more users, and need fast and convinient way to visually check for an absense of man-in-the-middle The idea behind an app: Alice and Bob frontend app generates RSA…
MihanEntalpo
  • 1,952
  • 2
  • 14
  • 31
4
votes
1 answer

Altering packets on the fly with scapy as a MITM

Assuming I managed to be in the middle of the communication between a client and a server (let's say that I open up a hotspot and cause the client to connect to the server only through my machine). How can I alter packets that my client sends and…
Jon Snow
  • 41
  • 1
  • 2
4
votes
1 answer

How do certificate avoid the man in the middle attack?

I have another question to security in the web. If I understand it correctly certificates are for identify who you really are. So the man in the middle attack isn't possible. But when I see this…
SCBoy
  • 545
  • 8
  • 19
4
votes
1 answer

How can I force iOS MapKit to use HTTPS for all its communications?

Embedding a map in my app causes many HTTP requests to be produced, of the form: http://gspe19.ls.apple.com/tile.vf?flags=1&style=1&size=2&scale=0&v=99999999&z=99&x=9999&y=9999&checksum=1&sid=999999&accessKey=XXXXXX This is the tile data that is…
Opine Parens
  • 41
  • 2
4
votes
1 answer

squid ssl-bump 3.5.4: error - Error negotiating SSL connection on FD 10: Success (0)

I am trying to install squid 3.5.4 (on docker, running debian 8) and run it in ssl-bump mode. Compilation: ./configure --prefix=/opt/squid --srcdir=. --disable-maintainer-mode \ --disable-dependency-tracking --disable-silent-rules…
ashish behl
  • 319
  • 1
  • 3
  • 19
4
votes
1 answer

How does HTTPS prevent replay attacks?

When an HTTPS conversation is initiated, a random number is generated to create a key for the exchange (or something like that). What I don't understand is how this prevents replay attacks. Why can't an attacker just repeat all the requests that the…
Chris Middleton
  • 5,654
  • 5
  • 31
  • 68
4
votes
1 answer

Destroy a Flask Restful Token

The following Flask RESTful Destroy User Token discusses how to destroy a flask token, however this does not prevent a man in the middle attack. Is there anyway to invalidate the token so it is no longer active before the time it expires?
Adil Ansari
  • 83
  • 2
  • 7
4
votes
1 answer

Android prevent man-in-the middle attack for SSL

I'm using HTTPS in my Android app to communicate with my own API. When I packet sniff, I don't see any information which is good. However, when I use software like Fiddler2 to install a trusted certificate on my Android, I can see all my HTTPS…
AlAsiri
  • 717
  • 7
  • 19
4
votes
1 answer

Encrypting Amazon S3 URL over the network to secure data access

I want to host copyrighted data on a Amazon S3 bucket (to have a larger bandwidth available than what my servers can handle) and provide access to these copyrighted data for a large numbers of authorized clients. My problem is: i create signed…
Mick F
  • 7,312
  • 6
  • 51
  • 98
4
votes
2 answers

Does HSTS header really help against MITM attacks?

I've read OWASP's HSTS cheat sheet at https://www.owasp.org/index.php/HTTP_Strict_Transport_Security#Browser_Support and also watched the related video: https://www.youtube.com/watch?v=zEV3HOuM_Vw but still I can't understand how this helps against…
Andrey
  • 75
  • 1
  • 5
1
2
3
14 15