Man-in-the-Middle Attack

MITM stands for Man-in-the-Middle: the attack class where an attacker positions themselves between two communicating parties, reading and possibly modifying the traffic in transit. Variants include: ARP-spoofing on local networks, rogue Wi-Fi access points (evil twins), DNS hijacking, BGP hijacking at the network-routing layer, TLS-stripping, and certificate-substitution attacks against TLS connections. The structural threat against unencrypted traffic and against improperly-validated encrypted traffic.

What it means in practice

The defense against MITM is end-to-end encryption with proper authentication. TLS protects most modern internet traffic from MITM at the transit layer, with the caveat that the certificate-trust model relies on the client validating the server’s certificate against trusted roots. Compromise of the trust roots (a malicious certificate authority, a compromised client root store, an installed enterprise-MITM proxy with its own root in the user’s trust store) defeats TLS protection. Application-layer end-to-end encryption (Signal’s protocol, PGP for email, age for files) defeats MITM at the transit and at the server level: even the service provider cannot read the content. The structural threats that persist in 2026: TLS-stripping in environments where the user’s first request is HTTP (defeated by HSTS preloading), enterprise-MITM proxies installed on managed devices (visible to anyone who checks the trust store), and certificate-trust attacks on the small set of services that have weak certificate validation.

Where it shows up

Operationally relevant in: public Wi-Fi environments where evil-twin and ARP-spoofing attacks are documented at security conferences, hostile-jurisdiction environments where state-level MITM via compelled certificate injection is documented (Kazakhstan in 2019, Iran intermittently, Turkey in specific operations), corporate-managed-device environments where the employer has installed an enterprise-MITM proxy that decrypts and re-encrypts employee TLS traffic (legal in most jurisdictions but not always disclosed clearly), and the broader category of state-level surveillance against named targets where MITM may be deployed in addition to passive collection. The defenses are layered: VPN over an untrusted network defeats local MITM, application-layer end-to-end encryption defeats network and provider MITM, and certificate-pinning by client applications (Signal, banking apps) defeats certificate-trust attacks.

What you can change today

Three structural defenses. First, run a no-log VPN always-on so traffic on any network including potentially MITM-instrumented public Wi-Fi is encrypted before leaving the device. Second, use end-to-end encrypted messaging (Signal) for any conversation that matters; the protocol defeats MITM at the network and at the provider levels. Third, audit the trust store on managed devices: if your employer has installed a root certificate that allows enterprise MITM (visible in macOS Keychain Access, Windows Certificate Manager, or by checking the chain on TLS connections), assume work-device traffic is decrypted by the employer regardless of the destination URL. For high-target users: hardware-key 2FA defeats credential-stealing MITM phishing kits because the cryptographic binding to domain origin survives the proxy interception.

Related articles