Man-in-the-Middle Attack (MITM)
There are several ways a bad actor can break the trust SSL/TLS establishes and launch a man-in-the-middle attack:
- The server key for the website the client is visiting could be stolen, allowing the attacker to appear as the server
- The issuing Certificate Authority (CA) is compromised and the root key is stolen. In this case the bad actor can generate their own certificates signed by the stolen root key and all clients would trust the certificates
- The client fails to validate the certificate against trusted CAs
- The client is compromised and a fake CA is injected into the client trusted root authority. In many cases malware performs this action to redirect users to fake banking web sites
The following diagram outlines how a hacker might use a rogue wireless access point to launch a man-in-the-middle attack. In this case, the hacker sets up an open wireless access point. When the victim visits a banking site, the criminal uses DNS spoofing to provide the target’s browser with a fraudulent certificate. The victim, thinking that the certificate received is the bank’s certificate, proceeds to log into the banks website. However, the hacker’s wireless access point acts as a proxy between the victim and the bank, allowing the hacker to read all the session information in clear text.
Reference: https://www.venafi.com/threat-center/threats-and-attacks/man-in-the-middle-attack