Man in the Middle

When you talk to your friend on the phone or 0:00 meet up with a coworker, you can recognize their voice or face. 0:02 But computers aren't that smart. 0:06 To them, it's just ones and zeros coming and going. 0:08 And this lack of distinction can be exploited. 0:10 Someone else can pretend to be Gmail, for example, and trick you and 0:14 your computer into thinking you're just logging into your email. 0:17 They can even claim to be you to your contacts. 0:21 This video explores the general concept of this interception and 0:24 impersonation, called man-in-the-middle, and ways to prevent it. 0:28 Let's return to our illustration of common Internet traffic inside the coffee shop. 0:32 You're on your laptop, 0:37 connected to the open WiFi network with other people in the coffee shop as well. 0:38 One of those people could be malicious and take control of the coffee shop router. 0:43 [SOUND] Maybe the device is shipped with a default admin password that was never 0:47 changed. 0:52 It happens more often than you might think. 0:52 I'm simplifying a bit here, but this malicious user can send a message to 0:55 the router to say that their computer's IP address is actually the address for 0:59 a given website, http://LocalBank.com, for example. 1:03 Now all requests for http://LocalBank.com from that coffee shop will 1:08 go to that computer instead, including passwords or other secret information. 1:13 Sometimes this can be very difficult to detect. 1:18 That malicious user can pass on the traffic to the intended destination, 1:21 as well as pass back a response without anyone noticing a difference, 1:25 essentially just passively observing. 1:30 This is dangerous enough, as now they have your login credentials and 1:33 can access your account any time. 1:36 But let's you try to set up two factor auth for your account. 1:38 Your bank verifies it's you with some security questions that the attacker now 1:42 knows, and then you give them your phone number for them to text the code. 1:46 The malicious user can substitute their own phone number, 1:50 receive the texted code and enter it themselves, and then text you the code. 1:54 When you attempt to enter the code, 1:58 they already have the bank's response ready for you. 2:00 This is no longer just passive eavesdropping, now it's active deception. 2:03 The man-in-the-middle attack can take many different forms. 2:09 The key point here relates back to one of our first videos, 2:12 it's all about authenticity. 2:16 You want to be certain that the person you are talking to or 2:18 the website you are visiting is who they say they are. 2:21 How the Internet enforces this concept is usually through HTTPS. 2:24 HTTPS is a secure version of HTTP, or Hypertext Transfer Protocol. 2:29 These two protocols make up a large portion of how our Internet traffic works. 2:35 You can often see a green lock in your browser's address bar for 2:40 sites that support HTTPS, like Google or Facebook. 2:43 You should consider HTTPS a must for any activity that involves sensitive 2:47 information, like purchases or bank logins. 2:51 For this last example, if your bank's website is usually https://LocalBank.com, 2:55 but for some reason you could only get to http://LocalBank.com at the coffee shop, 3:01 then that could be a hint of a man-in-the-middle attack. 3:06 Certain browser plugins and tools like HTTPS Everywhere 3:09 can force your browser to serve the more secure versions of sites when available. 3:13 Another problem with that previous scenario is that you were stuck 3:17 with an open WiFi network. 3:20 The best solution would be to convince the coffee shop 3:22 to add a strong password to their network. 3:25 But even networks with shared pass phrases are not completely secure. 3:28 The next best option would be to use a VPN, or virtual private network. 3:32 These are networks that can be set up anywhere, 3:37 you can even do it yourself at home. 3:39 You would then route all traffic through this network, which you either control or 3:41 have considerably more trust in. 3:45 It then works very similar to HTTPS, where your traffic is encrypted and 3:48 private from eavesdropping. 3:52 VPNs can be a bit of an advanced topic, so we won't cover them 3:55 any more than to recommend them after some additional research. 3:58 Man-in-the-middle attacks are also a bit advanced, but 4:02 prevention is relatively simple, and the important takeaway is to consider it well 4:05 worth the effort to verify the authenticity of your traffic. 4:09