Preview

Start a free Basic trial
to watch this video

Sign up for Treehouse

Man in the Middle

4:13 with Greg Stromire

When you talk to your friend on the phone or meet up with a coworker, you can recognize their voice or face. But computers aren’t that smart. Someone else could pretend to be Gmail, for example, and trick you (and your computer) into thinking you’re just logging into your email. They could even claim to be you to your contacts.

Teacher's Notes
Video Transcript
Downloads

New Terms:

Man in the Middle -- An attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
HTTPS -- The secure version of HTTP, or HyperText Transfer Protocol. Allows traffic to be encrypted and authenticated, protecting privacy and can help prevent man in the middle attacks.
VPN -- Virtual Private Network, a way to redirect your internet traffic through an encrypted service for privacy and security. You can create your own though it may be simpler to a pay for commercial option.

Further Reading:

uBlock Origin
HTTPS Everywhere
Privacy Badger

0:00
When you talk to your friend on the phone or
0:02
meet up with a coworker, you can recognize their voice or face.
0:06
But computers aren't that smart.
0:08
To them, it's just ones and zeros coming and going.
0:10
And this lack of distinction can be exploited.
0:14
Someone else can pretend to be Gmail, for example, and trick you and
0:17
your computer into thinking you're just logging into your email.
0:21
They can even claim to be you to your contacts.
0:24
This video explores the general concept of this interception and
0:28
impersonation, called man-in-the-middle, and ways to prevent it.
0:32
Let's return to our illustration of common Internet traffic inside the coffee shop.
0:37
You're on your laptop,
0:38
connected to the open WiFi network with other people in the coffee shop as well.
0:43
One of those people could be malicious and take control of the coffee shop router.
0:47
[SOUND] Maybe the device is shipped with a default admin password that was never
0:52
changed.
0:52
It happens more often than you might think.
0:55
I'm simplifying a bit here, but this malicious user can send a message to
0:59
the router to say that their computer's IP address is actually the address for
1:03
a given website, http://LocalBank.com, for example.
1:08
Now all requests for http://LocalBank.com from that coffee shop will
1:13
go to that computer instead, including passwords or other secret information.
1:18
Sometimes this can be very difficult to detect.
1:21
That malicious user can pass on the traffic to the intended destination,
1:25
as well as pass back a response without anyone noticing a difference,
1:30
essentially just passively observing.
1:33
This is dangerous enough, as now they have your login credentials and
1:36
can access your account any time.
1:38
But let's you try to set up two factor auth for your account.
1:42
Your bank verifies it's you with some security questions that the attacker now
1:46
knows, and then you give them your phone number for them to text the code.
1:50
The malicious user can substitute their own phone number,
1:54
receive the texted code and enter it themselves, and then text you the code.
1:58
When you attempt to enter the code,
2:00
they already have the bank's response ready for you.
2:03
This is no longer just passive eavesdropping, now it's active deception.
2:09
The man-in-the-middle attack can take many different forms.
2:12
The key point here relates back to one of our first videos,
2:16
it's all about authenticity.
2:18
You want to be certain that the person you are talking to or
2:21
the website you are visiting is who they say they are.
2:24
How the Internet enforces this concept is usually through HTTPS.
2:29
HTTPS is a secure version of HTTP, or Hypertext Transfer Protocol.
2:35
These two protocols make up a large portion of how our Internet traffic works.
2:40
You can often see a green lock in your browser's address bar for
2:43
sites that support HTTPS, like Google or Facebook.
2:47
You should consider HTTPS a must for any activity that involves sensitive
2:51
information, like purchases or bank logins.
2:55
For this last example, if your bank's website is usually https://LocalBank.com,
3:01
but for some reason you could only get to http://LocalBank.com at the coffee shop,
3:06
then that could be a hint of a man-in-the-middle attack.
3:09
Certain browser plugins and tools like HTTPS Everywhere
3:13
can force your browser to serve the more secure versions of sites when available.
3:17
Another problem with that previous scenario is that you were stuck
3:20
with an open WiFi network.
3:22
The best solution would be to convince the coffee shop
3:25
to add a strong password to their network.
3:28
But even networks with shared pass phrases are not completely secure.
3:32
The next best option would be to use a VPN, or virtual private network.
3:37
These are networks that can be set up anywhere,
3:39
you can even do it yourself at home.
3:41
You would then route all traffic through this network, which you either control or
3:45
have considerably more trust in.
3:48
It then works very similar to HTTPS, where your traffic is encrypted and
3:52
private from eavesdropping.
3:55
VPNs can be a bit of an advanced topic, so we won't cover them
3:58
any more than to recommend them after some additional research.
4:02
Man-in-the-middle attacks are also a bit advanced, but
4:05
prevention is relatively simple, and the important takeaway is to consider it well
4:09
worth the effort to verify the authenticity of your traffic.

You need to sign up for Treehouse in order to download course files.

Sign up