Technical Deep-Dives

MITM Attacks: How to Detect and Stop Them in 2026

MITM attacks in 2026: how attackers intercept traffic via SSL stripping, ARP spoofing, DNS hijack. The 7 defences every SaaS team must implement now.

RG&T
Rathnakara GN & Theertha
Cybersecify
9 min read

Article 5 of 6: Understanding TLS Security Series

A Man-in-the-Middle (MITM) attack occurs when an attacker secretly intercepts and potentially modifies communication between two parties who believe they are communicating directly. MITM requires network positioning first (ARP spoofing, DNS spoofing, rogue WiFi access point, BGP hijack) before the attacker can attempt TLS interception. The seven defences every SaaS team must layer in 2026 are: TLS 1.3 protocol, HSTS with preload to defeat SSL stripping, Certificate Transparency monitoring, certificate pinning for mobile apps, DNSSEC plus DNS over HTTPS, Encrypted Client Hello (ECH) to hide SNI, and 802.1X or WPA3-Enterprise on corporate networks. This article covers MITM attack techniques, TLS interception methods, detection strategies, and modern defenses including ECH.

Key findings

  • MITM is a two-stage attack. Stage one is network positioning (ARP spoofing, DNS spoofing, rogue access point, BGP hijack). Stage two is TLS interception (SSL stripping, fake certificate, trusted CA proxy). Defences must address both stages.
  • SSL stripping is defeated by HSTS plus the browser preload list. The first visit is still vulnerable to HTTP, which is why submission to hstspreload.org matters for high-value domains.
  • Certificate Transparency logs detect rogue CA-issued certificates. Every publicly trusted certificate issued after 2018 must be logged in CT; monitor crt.sh or Certificate Transparency Reports for unauthorized certificates for your domains.
  • HTTP Public Key Pinning (HPKP) is deprecated in browsers but certificate pinning is still used in mobile apps. Use SPKI (Subject Public Key Info) pins with at least one backup pin to avoid lockout on key rotation.
  • Encrypted Client Hello (ECH) hides the SNI field that previously leaked the destination hostname even on TLS 1.3. Cloudflare enables ECH by default for all sites; Chrome and Firefox support it.
  • Detection at the user layer is unreliable. Users rarely notice certificate warnings or extra latency. Infrastructure-level monitoring (CT log alerts, gateway MAC change alerts, DNS response anomalies) catches MITM faster than user reports.
  • VPN on untrusted networks is the strongest personal defence. It moves the trust boundary from “the WiFi network I’m on” to “the VPN endpoint I control.”

Cybersecify is a founder-led penetration testing and security consulting firm based in Bengaluru, India, serving AI-first and API-first SaaS startups. We test MITM-vulnerability classes including TLS interception, certificate pinning bypass, HSTS misconfiguration, and protocol downgrade attacks in Web App, API, and Cloud Pentest engagements. For an example of the pentest deliverable that documents these findings, see our SOC 2 + ISO 27001 ready pentest report sample.

This article covers MITM attack techniques, TLS interception methods, detection strategies, and modern defenses including Encrypted Client Hello (ECH).

MITM Attack Overview

VICTIM  ────►  ATTACKER  ────►  SERVER
        ◄────            ◄────
Thinks talking     Intercepts, reads,     Thinks talking
to server          modifies traffic       to client
Attack PhaseDescription
1. PositioningAttacker places themselves between victim and server
2. InterceptionTraffic is routed through attacker’s system
3. DecryptionAttacker terminates TLS, creates new connection to server
4. InspectionAttacker reads/modifies plaintext data
5. Re-encryptionData re-encrypted and forwarded to destination

MITM Defense Layers

LayerTechnologyProtection
ProtocolTLS 1.3Encrypted handshake, mandatory ECDHE
DowngradeHSTS + PreloadPrevents SSL stripping
CertificateCertificate TransparencyDetects rogue certificates
MobileCertificate PinningRejects unexpected certificates
DNSDoH/DoT + DNSSECPrevents DNS spoofing
PrivacyECH (Encrypted Client Hello)Hides SNI from observers
Network802.1X, WPA3-EnterprisePrevents rogue AP, ARP attacks
VPNAlways-on VPNEncrypts all traffic to trusted endpoint

1. Network Positioning Techniques

Theory: How It Works

Before intercepting TLS traffic, the attacker must position themselves in the network path. Several techniques exist:

ARP Spoofing (Local Network):

  1. Attacker sends fake ARP replies to victim
  2. Victim’s ARP cache maps gateway IP to attacker’s MAC
  3. All traffic to gateway flows through attacker

DNS Spoofing:

  1. Attacker responds to DNS queries before legitimate server
  2. Victim resolves domain to attacker’s IP
  3. All HTTPS traffic goes to attacker’s server

Rogue Access Point:

  1. Attacker sets up fake WiFi with legitimate-sounding name
  2. Victim connects to attacker’s network
  3. All traffic passes through attacker-controlled router

Practical: Tools & Detection

# ARP Spoofing with arpspoof (dsniff)
arpspoof -i eth0 -t <victim_ip> <gateway_ip>
arpspoof -i eth0 -t <gateway_ip> <victim_ip>

# Using ettercap
ettercap -T -M arp:remote /<victim_ip>// /<gateway_ip>//

# Using bettercap
bettercap -iface eth0 -eval "set arp.spoof.targets <victim_ip>; arp.spoof on"

Reality: Detection & Prevention

TechniqueDetectionPrevention
ARP SpoofingARP table changes, duplicate IPsStatic ARP entries, DAI on switches
DNS SpoofingUnexpected DNS responsesDNSSEC, DNS over HTTPS (DoH)
Rogue APDuplicate SSIDs, weak signal802.1X, WPA3, VPN
BGP HijackingRoute changes, tracerouteRPKI, BGPsec

2. TLS Interception Techniques

Theory: How It Works

Once positioned, the attacker must break TLS encryption. There are several approaches:

SSL Stripping:

  1. Attacker intercepts HTTP redirect to HTTPS
  2. Maintains HTTP connection to victim
  3. Creates HTTPS connection to server
  4. Victim never sees HTTPS, so no certificate warnings

Fake Certificate:

  1. Attacker generates certificate for target domain
  2. Signs with self-signed or rogue CA
  3. Presents to victim, and browser shows warning
  4. If victim clicks through, attacker has plaintext

Trusted CA Interception (Corporate/Government):

  1. Organization installs root CA on all devices
  2. Proxy generates trusted certs for any domain
  3. No warnings shown (legitimate use for monitoring)

Practical: Tools

# SSL Stripping with sslstrip
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Redirect HTTP to sslstrip
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

# Run sslstrip
sslstrip -l 8080
# TLS Interception with mitmproxy
# Generate CA certificate
mitmproxy  # Creates ~/.mitmproxy/mitmproxy-ca-cert.pem

# Install CA on victim device, then intercept
mitmproxy --mode transparent --showhost

Reality: Effectiveness

TechniqueWarning?EffectivenessDefense
SSL StrippingNo padlockHigh if no HSTSHSTS preload
Self-signed certYes (scary)Low (obvious)User education
Rogue CA certNoCriticalCert pinning
Corporate proxyNo (trusted)TotalPolicy/legal

3. HSTS (HTTP Strict Transport Security)

Theory: How It Works

HSTS forces browsers to only use HTTPS for a domain, defeating SSL stripping attacks.

How HSTS Works:

  1. Server sends HSTS header: Strict-Transport-Security: max-age=31536000
  2. Browser remembers: “Only use HTTPS for this domain”
  3. Future HTTP requests automatically upgraded to HTTPS
  4. SSL stripping fails because browser refuses HTTP

HSTS Preloading:

First visit is still vulnerable to SSL stripping. Solution: HSTS preload list is hardcoded in browsers. Sites submit to hstspreload.org and are included in browser source code. The HSTS mechanism is defined in RFC 6797.

Practical: Configuration

# HSTS Header Examples

# Basic HSTS (1 year)
Strict-Transport-Security: max-age=31536000

# Include subdomains
Strict-Transport-Security: max-age=31536000; includeSubDomains

# Ready for preload list
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Nginx Configuration:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Check HSTS Status:

# Check if HSTS header present
curl -sI https://example.com | grep -i strict

Reality: Limitations

LimitationDetails
First VisitInitial HTTP request still vulnerable; use preload
ExpiryIf max-age expires, protection lost; use long max-age
SubdomainsMust explicitly include subdomains
Preload RemovalRemoving from preload list takes months

4. Certificate Pinning

Theory: How It Works

Certificate pinning associates a host with its expected certificate or public key, preventing MITM even with a rogue CA.

What Can Be Pinned:

  • Leaf certificate: most specific, breaks on renewal
  • Intermediate CA: good balance, survives leaf renewal
  • Public key (SPKI): survives cert renewal if key unchanged
  • Root CA: least specific, highest risk if CA compromised

Practical: Implementation

Generate Pin Hash:

# Extract SPKI hash from certificate
openssl x509 -in cert.pem -pubkey -noout | \
  openssl pkey -pubin -outform der | \
  openssl dgst -sha256 -binary | base64

Mobile App Pinning (Android, OkHttp):

CertificatePinner pinner = new CertificatePinner.Builder()
  .add("example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAA...=")
  .build();

Reality: Considerations

ConsiderationDetails
Backup PinsAlways include backup pin to prevent lockout on rotation
HPKP DeprecatedHTTP Public Key Pinning removed from browsers (too risky)
Mobile AppsStill widely used in mobile apps (more controlled)
CT AlternativeCertificate Transparency provides similar protection

5. Encrypted Client Hello (ECH)

ECH encrypts the SNI field in Client Hello, hiding which website you’re connecting to. Combined with TLS 1.3 encrypted certificates and DoH, this provides near-complete privacy from network observers.

# Check ECH support
dig +short TYPE65 _https.cloudflare.com

# Check HSTS header
curl -sI https://example.com | grep -i strict

2026 ECH Adoption:

PlatformStatus
CloudflareECH enabled by default for all sites
ChromeECH supported since 2023
FirefoxECH enabled by default

6. MITM Detection Techniques

Practical: Detection Methods

Network Layer Detection:

# Detect ARP spoofing
arp -a | sort  # Look for duplicate MACs
arpwatch -i eth0  # Monitor ARP changes

# Detect rogue DHCP
nmap --script broadcast-dhcp-discover

Certificate Analysis:

# Check certificate issuer
openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -issuer

# Check Certificate Transparency logs
# Visit: crt.sh, censys.io, or transparencyreport.google.com

Detection Indicators:

IndicatorNormalMITM Suspected
Certificate IssuerLet’s Encrypt, DigiCert, etc.Unknown CA, self-signed
Gateway MACConsistentChanges frequently
DNS ResponseExpected IPDifferent IP, fast response
LatencyNormalIncreased (extra hop)
CT LogsCertificate presentCertificate missing

Users rarely notice MITM attacks. Detection is most effective at the infrastructure level with proper monitoring and automated alerting.

Key Takeaways

  • MITM requires network positioning first (ARP, DNS, rogue AP)
  • SSL stripping is defeated by HSTS + preload list
  • Rogue CA certs detected by Certificate Transparency
  • Certificate pinning protects mobile apps
  • TLS 1.3 encrypted handshake hides more metadata
  • ECH hides SNI for complete privacy
  • Use VPN on untrusted networks
  • Never click through certificate warnings

Previous: Article 4: TLS Attacks & Vulnerabilities

Next: Article 6: TLS Hardening Guide

This is part of our 6-article series on Understanding TLS Security.

MITM vulnerabilities are a core focus of our Web Application Pentest, API Pentest, and IoT Pentest. We test certificate pinning, TLS interception, and protocol downgrade attacks. Get a free security snapshot or view pricing.

Related: TLS 1.2 Deep Dive: Complete Handshake Breakdown, TLS Attacks and Vulnerabilities: A Pro Guide, SOC 2 + ISO 27001 ready pentest report sample.

Frequently Asked Questions

How do man-in-the-middle attacks work?

An attacker positions themselves between two communicating parties using techniques like ARP spoofing, DNS spoofing, or rogue WiFi access points. They intercept traffic, terminate the TLS connection, read or modify the plaintext data, re-encrypt it, and forward it to the destination. Both parties believe they are communicating directly. MITM is structurally a two-stage attack. Stage one is network positioning (ARP spoofing on local networks, DNS spoofing across resolvers, rogue access points in public spaces, BGP hijack at internet-routing layer). Stage two is TLS interception (SSL stripping, fake certificate presentation, or trusted-CA proxy on corporate or government networks). Defences must address both stages independently because controls that defeat one stage do nothing against the other.

How do you prevent MITM attacks on a web application?

Deploy TLS 1.3, enable HSTS with preloading to prevent SSL stripping, implement Certificate Transparency monitoring, use certificate pinning for mobile apps, enable DNSSEC with DNS-over-HTTPS, and enforce 802.1X or WPA3-Enterprise on corporate networks. Each layer addresses a different attack vector in the MITM kill chain. TLS 1.3 protects the channel. HSTS plus preload defeats SSL stripping. Certificate Transparency catches rogue CA-issued certs. Pinning protects mobile apps from CA compromise. DNSSEC and DoH prevent resolver spoofing. WPA3-Enterprise prevents rogue access point attacks. Detection at the user layer is unreliable because users rarely notice certificate warnings or extra latency; infrastructure-level monitoring (CT log alerts, gateway MAC change alerts, DNS response anomalies) catches MITM faster than user reports.

What is SSL stripping and how do I prevent it?

SSL stripping is an MITM attack where the attacker intercepts the HTTP-to-HTTPS upgrade and maintains an unencrypted HTTP connection to the victim while keeping an HTTPS connection to the real server. The victim sees normal-looking HTTP, no certificate warnings appear, and the attacker reads everything in plaintext. The defence is HSTS (HTTP Strict Transport Security, RFC 6797), which tells browsers to use only HTTPS for a domain. The first visit is still vulnerable because the browser has not yet seen the HSTS header. The fix for first-visit protection is the HSTS preload list: sites submit to [hstspreload.org](https://hstspreload.org/) and get hardcoded into browser source code. For any production SaaS handling credentials or payments, HSTS preload submission is the baseline.

What is Certificate Transparency and how does it stop MITM?

Certificate Transparency (CT) is a system where every publicly trusted TLS certificate must be logged in append-only public CT logs at issuance time. Browsers reject certificates that lack valid CT proofs. The MITM defence: if a rogue or compromised CA issues a fraudulent certificate for your domain, the issuance appears in CT logs within hours, and you can detect it by monitoring [crt.sh](https://crt.sh/) or Google's Certificate Transparency Reports for unauthorized certificates on your domains. Every publicly trusted certificate issued after 2018 must appear in CT. The monitoring is cheap: an alert pipeline that watches crt.sh for new certificates matching your domains catches rogue issuance long before the certificate can be used in a successful MITM attack against your users.

Is certificate pinning still recommended in 2026?

Conditionally. HTTP Public Key Pinning (HPKP) was deprecated and removed from browsers because misconfigured pins permanently locked users out of websites. Browser pinning is no longer used. Mobile app certificate pinning is still widely used and recommended because the app developer controls both the pinning configuration and the update cycle, so the lockout risk is bounded. For mobile pinning, use SPKI (Subject Public Key Info) pins, not leaf certificate pins (which break on renewal). Always include at least one backup pin so key rotation does not brick the app. For web applications, rely on Certificate Transparency monitoring instead of pinning. Cybersecify tests pinning bypass in mobile app pentest engagements using Frida, Objection, and custom hooks against common pinning libraries.

Can a VPN protect me from MITM attacks on public WiFi?

Yes, with caveats. A VPN moves the trust boundary from 'the WiFi network I'm on' to 'the VPN endpoint I control'. An attacker on the public WiFi can no longer perform ARP spoofing, DNS spoofing, or rogue access point attacks against your traffic because everything between you and the VPN endpoint is encrypted. The caveats: the VPN provider itself becomes a trust point, so use a reputable VPN with a no-logs policy and audited infrastructure. Free VPNs often have worse privacy than the public WiFi they replace. For corporate users, an always-on VPN to a company-controlled endpoint is the strongest personal defence against MITM on untrusted networks. For consumer users, pair the VPN with DNS-over-HTTPS to prevent DNS leaks outside the tunnel.

What is Encrypted Client Hello (ECH) and does it help against MITM?

Encrypted Client Hello (ECH) encrypts the entire TLS Client Hello message, including the SNI (Server Name Indication) field that previously leaked the destination hostname even on TLS 1.3. Without ECH, a passive observer on the network path sees the server IP and the SNI hostname, learning which website you are visiting even though the certificate and application data are encrypted. ECH plus DNS-over-HTTPS hides both the hostname and the DNS lookup. ECH does not directly prevent MITM (it does not change the TLS authentication path) but it removes the metadata an attacker uses to identify targets worth attacking. Cloudflare enables ECH by default for all sites. Chrome has supported it since 2023. Firefox enables it by default.

How do I detect ARP spoofing on a local network?

ARP spoofing leaves detectable artifacts on the local network. Manual detection: run `arp -a | sort` periodically and look for duplicate MAC addresses or unexpected changes in the gateway MAC. Automated detection: deploy `arpwatch` on a Linux host on the network, which monitors ARP changes and emails alerts when the gateway MAC changes or a new MAC-IP pairing appears. Switch-level prevention: enable Dynamic ARP Inspection (DAI) on managed switches, which validates ARP packets against a trusted binding table built from DHCP snooping. For SaaS company offices, the practical posture is DAI on managed switches plus 802.1X authentication on the wired and wireless networks. For remote workers, the practical posture is always-on VPN regardless of local-network MITM risk.

Does DNSSEC prevent DNS-based MITM attacks?

Yes, when properly deployed. DNSSEC (DNS Security Extensions) cryptographically signs DNS responses, allowing resolvers to verify that a response came from the authoritative server and was not modified in transit. A DNS spoofing attack that returns a forged response to direct your browser to an attacker-controlled IP fails DNSSEC validation and is rejected. The caveats: the domain owner must enable DNSSEC signing on the authoritative DNS, and the client resolver must perform validation. Many consumer ISPs do not validate DNSSEC. Pair DNSSEC with DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) on the client side to encrypt the resolver query and prevent on-path tampering. Cloudflare 1.1.1.1, Google 8.8.8.8, and Quad9 9.9.9.9 all validate DNSSEC and support DoH.

Does Cybersecify test for MITM vulnerabilities in pentest engagements?

Yes. MITM vulnerability classes (TLS interception, certificate pinning bypass, HSTS misconfiguration, protocol downgrade, weak cipher suites, missing Certificate Transparency monitoring, DNS rebinding) are core to our [Web Application Pentest](/services/web-application-pentest/), [API Pentest](/services/api-pentest/), and [IoT Pentest](/services/iot-pentest/) scope. For mobile apps specifically, we test certificate pinning bypass using Frida, Objection, and custom hooks against the major pinning libraries (OkHttp CertificatePinner, NSURLSession ATS, TrustKit, Alamofire ServerTrustManager). Findings include severity-rated remediation guidance with code-level examples. The Growth Pentest plan (INR 1,79,999) covers up to 2 scopes; the Startup Pentest plan (INR 74,999) covers 1 scope. Both include 1 free retest. See [pricing](/pricing/) for plan comparison or [sample report](/sample-report/) for deliverable structure.

Got a question or counter-take?

Email contact@cybersecify.com, WhatsApp +91 9986 998 333, or DM Rathnakara GN on LinkedIn.

Share this article
MITMman-in-the-middleSSL strippingHSTScertificate pinningARP spoofingECHTLS security