In a Man in the middle attack the criminal wants to insert himself
into a secure communications channel such as the SSL connection
that is used in e-commerce and internet banking.
In order to do this the attacker sets up a phony
site and redirects your traffic to the phony site. The most common
way to redirect you is to send an e-mail to you claiming to come
from your bank or credit card company, with a link in it that points
your browser, or install a hosts
file on your comptuer.
When you connect to the phony site thinking
you are connecting to your bank, the computers set up a secure encrypted
communications channel. The man in the middle then makes a connection
to the bank, and sets up a secure encrypted link. Everything that
the bank sends to the man in the middle thinking it is sending to
you is copied by the man in the middle and forwarded to you. You
see the bank web site, everything looks normal, and you can access
your accounts. In the mean time, the man in the middle is recording
your passwords and account numbers so he can come back later and
empty your bank account.
This attack is possible because your internet
browser collects its encryption keys from the site it visits. When
you make a secure connection the browser asks the remote site for
its encryption key, and sends a key that it generates for you to
the remote site. As long as the key sent by the remote site is valid
for that site, your browser does not warn you. The fact that you
think you are connected to your bank when you are connected to Joe'sPhishing
is not available to the browser. All it knows is that Joe'sPhishing.com
has a key that properly identifies itself as Joe'sPhishing.com.
If you ask your browser for the certificate details you will see
that you are connected to Joe'sPhishing, but as long as the site
looks like your bank you have no reason to question the validity
of the certificate.
There is a solution that will prevent this kind
of attack. Your bank needs to set up a certificate authority, and
only distribute the encryption keys by handing you a diskette at
the bank. This will contain a key that belongs to you and only to
you. The man in the middle can still try to set up the attack but
without the key that the bank gave to you he cannot see any of the