Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
When you talk to your friend on the phone or meet up with a coworker, you can recognize their voice or face. But computers aren’t that smart. Someone else could pretend to be Gmail, for example, and trick you (and your computer) into thinking you’re just logging into your email. They could even claim to be you to your contacts.
New Terms:
- Man in the Middle -- An attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
- HTTPS -- The secure version of HTTP, or HyperText Transfer Protocol. Allows traffic to be encrypted and authenticated, protecting privacy and can help prevent man in the middle attacks.
- VPN -- Virtual Private Network, a way to redirect your internet traffic through an encrypted service for privacy and security. You can create your own though it may be simpler to a pay for commercial option.
Further Reading:
When you talk to your
friend on the phone or
0:00
meet up with a coworker,
you can recognize their voice or face.
0:02
But computers aren't that smart.
0:06
To them, it's just ones and
zeros coming and going.
0:08
And this lack of distinction
can be exploited.
0:10
Someone else can pretend to be Gmail,
for example, and trick you and
0:14
your computer into thinking you're
just logging into your email.
0:17
They can even claim to
be you to your contacts.
0:21
This video explores the general
concept of this interception and
0:24
impersonation, called man-in-the-middle,
and ways to prevent it.
0:28
Let's return to our illustration of common
Internet traffic inside the coffee shop.
0:32
You're on your laptop,
0:37
connected to the open WiFi network with
other people in the coffee shop as well.
0:38
One of those people could be malicious and
take control of the coffee shop router.
0:43
[SOUND] Maybe the device is shipped with
a default admin password that was never
0:47
changed.
0:52
It happens more often
than you might think.
0:52
I'm simplifying a bit here, but
this malicious user can send a message to
0:55
the router to say that their computer's
IP address is actually the address for
0:59
a given website,
http://LocalBank.com, for example.
1:03
Now all requests for http://LocalBank.com
from that coffee shop will
1:08
go to that computer instead, including
passwords or other secret information.
1:13
Sometimes this can be
very difficult to detect.
1:18
That malicious user can pass on
the traffic to the intended destination,
1:21
as well as pass back a response
without anyone noticing a difference,
1:25
essentially just passively observing.
1:30
This is dangerous enough, as now
they have your login credentials and
1:33
can access your account any time.
1:36
But let's you try to set up two
factor auth for your account.
1:38
Your bank verifies it's you with some
security questions that the attacker now
1:42
knows, and then you give them your
phone number for them to text the code.
1:46
The malicious user can substitute
their own phone number,
1:50
receive the texted code and enter it
themselves, and then text you the code.
1:54
When you attempt to enter the code,
1:58
they already have the bank's
response ready for you.
2:00
This is no longer just passive
eavesdropping, now it's active deception.
2:03
The man-in-the-middle attack
can take many different forms.
2:09
The key point here relates back
to one of our first videos,
2:12
it's all about authenticity.
2:16
You want to be certain that
the person you are talking to or
2:18
the website you are visiting
is who they say they are.
2:21
How the Internet enforces this
concept is usually through HTTPS.
2:24
HTTPS is a secure version of HTTP,
or Hypertext Transfer Protocol.
2:29
These two protocols make up a large
portion of how our Internet traffic works.
2:35
You can often see a green lock in
your browser's address bar for
2:40
sites that support HTTPS,
like Google or Facebook.
2:43
You should consider HTTPS a must for
any activity that involves sensitive
2:47
information, like purchases or
bank logins.
2:51
For this last example, if your bank's
website is usually https://LocalBank.com,
2:55
but for some reason you could only get to
http://LocalBank.com at the coffee shop,
3:01
then that could be a hint of
a man-in-the-middle attack.
3:06
Certain browser plugins and
tools like HTTPS Everywhere
3:09
can force your browser to serve the more
secure versions of sites when available.
3:13
Another problem with that previous
scenario is that you were stuck
3:17
with an open WiFi network.
3:20
The best solution would be
to convince the coffee shop
3:22
to add a strong password to their network.
3:25
But even networks with shared pass
phrases are not completely secure.
3:28
The next best option would be to use
a VPN, or virtual private network.
3:32
These are networks that
can be set up anywhere,
3:37
you can even do it yourself at home.
3:39
You would then route all traffic through
this network, which you either control or
3:41
have considerably more trust in.
3:45
It then works very similar to HTTPS,
where your traffic is encrypted and
3:48
private from eavesdropping.
3:52
VPNs can be a bit of an advanced topic,
so we won't cover them
3:55
any more than to recommend them
after some additional research.
3:58
Man-in-the-middle attacks
are also a bit advanced, but
4:02
prevention is relatively simple, and the
important takeaway is to consider it well
4:05
worth the effort to verify
the authenticity of your traffic.
4:09
You need to sign up for Treehouse in order to download course files.
Sign up