HTTP vs HTTPS and Man in The Middle Attack
What is HTTP?
The Hypertext Transfer Protocol (HTTP) is the foundation of the World Wide Web, and is used to load web pages using hypertext links. HTTP is an application layer protocol designed to transfer information between networked devices. A typical flow over HTTP involves a client machine making a request to a server, which then sends a response message.
Why HTTP is not secure?
HTTP requests and responses are sent in plaintext, which means that anyone can read them. The problem is that HTTP data is not encrypted, so can be intercepted by third parties to gather data passed between the two systems.
HTTP VS HTTPS
HTTPS is HTTP with encryption and verification. The only difference between the two protocols is that HTTPS uses TLS (SSL) to encrypt normal HTTP requests and responses, and to digitally sign those requests and responses. As a result, HTTPS is far more secure than HTTP. A website that uses HTTP has http:// in its URL, while a website that uses HTTPS has https.
What is a man-in-the-middle (MiTM) attack?
A man-in-the-middle (MiTM) attack is a type of cyberattack in which communications between two parties is intercepted, often to steal login credentials or personal information, spy on victims, sabotage communications, or corrupt data.
How do MitM attacks work?
During MiTM attacks, cybercriminals insert themselves in the middle of data transactions or online communication. The attacker tricks the client and the server into believing that they are exchanging information with each other, while the attacker intercepts the data, creates a connection to the real site and acts as a proxy to read and insert false information into the communication.
What are the types of man-in-the-middle attacks?
- Internet Protocol spoofing. Like identity theft, IP spoofing takes place when cybercriminals alter the source IP address of a website, email address or device for the purpose of masking it. This dupes the users into believing that they are interacting with a legit source and the sensitive information they share during the transaction gets transferred to the cybercriminals instead.
- Domain Name System spoofing. This is a type of man-in-the-middle attack where cybercriminals alter domain names to redirect traffic to fake websites. Users might think that they are reaching a secure and trusted website, but instead, they land on a website operated by cybercriminals. The main aim behind DNS spoofing is to reroute traffic to a fake website or to capture user login credentials.
- HTTP spoofing. The HTTP protocol is the embodiment of secure internet communications. HTTPS indicates a safe and trusted website. During an HTTPS spoofing attack, a browser session is redirected to an unsecured or HTTP-based website without the user’s knowledge or consent. Cybercriminals can monitor user interactions and steal shared personal information through this redirection.
- Secure Sockets Layer hijacking. SSL is a protocol that establishes an encrypted connection between a browser and the web server. During SSL hijacking, a cybercriminal might use another computer and a secure server to intercept all information traveling between the server and the end user’s computer.
- Email hijacking. This is a type of MiTM attack where cybercriminals gain control of email accounts of banks and other financial institutions to monitor any transactions that users conduct. Cybercriminals may even spoof the bank’s email address and send instructions to customers that lead them to unknowingly transfer their money to the cybercriminals.
- Wi-Fi eavesdropping. This MiTM attack is one of the many risk factors posed by public Wi-Fi. During this attack, public Wi-Fi users get tricked into connecting to malicious Wi-Fi networks and hotspots. Cybercriminals accomplish this by setting up Wi-Fi connections with names that resemble nearby businesses.
- Session hijacking. Also known as stealing browser cookies, this malicious practice takes place when cybercriminals steal personal data and passwords stored inside the cookies of a user’s browsing session. Sometimes, cybercriminals can gain endless access to users’ saved resources. For example, they might steal users’ confidential data and identities, purchase items or steal money from their bank accounts.
- Cache poisoning. Also known as Address Resolution Protocol, or ARP cache poisoning, this popular modern-day MiTM attack enables cybercriminals who are on the same subnet as the victims to eavesdrop on all traffic being routed between them.
CONCLUSIONS:
HTTPS (or, more accurately, SSL) is specifically designed to prevent MITM attacks.
Web browsers ensure that the certificate presented by the server is correctly labeled with the domain name of the website and that it has a chain of trust back to a well-known certificate authority. In most cases, this is sufficient to prevent anyone from impersonating the website.
You can also launch an MITM attack by obtaining a certificate from a well-known certificate authority that contains the domain name of the website you want to impersonate. This is possible (and has been done) through social engineering and hacking into registrars.
How to perform “ARP Cache Poisoning” like a Hacker?