Guide | How To Protect Yourself Against MITM Attacks

[Deleted member 178]

ok, everybody here knows about malwares, Avs , etc... but there is an area we don't talk enough , datas protection.

One well known attack is called MITM aka Man In The Middle Attack:

In cryptography and computer security, a man-in-the-middle attack (often abbreviated MitM, MiM attack, MitMA or the same using all capital letters) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. A man-in-the-middle attack can be used against many cryptographic protocols.[1] One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point can insert himself as a man-in-the-middle.[2]

As an attack that aims at circumventing mutual authentication, or lack thereof, a man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to their satisfaction as expected from the legitimate other end. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, TLS can authenticate one or both parties using a mutually trusted certificate authority.[3]

Man-in-the-middle attack - Wikipedia

so what to do to counter it ?

basically you have to secure the transmission via encryption , for this we use the DNScrypt protocol:

DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.

DNSCrypt - Official Project Home Page

There is a simple apps called Simple DnsCrypt that will automatize and really simplify the implementation of this protocol

Simple DNSCrypt - Official Project Home Page

We will then choose from the list a DNS provider using DNSSEC.

DNSSEC is a technology that was developed to, among other things, protect against such attacks by digitally 'signing' data so you can be assured it is valid. However, in order to eliminate the vulnerability from the Internet, it must be deployed at each step in the lookup from root zone to final domain name (e.g., www.icann.org). Signing the root (deploying DNSSEC on the root zone) is a necessary step in this overall processii. Importantly it does not encrypt data. It just attests to the validity of the address of the site you visit.

DNSSEC – What Is It and Why Is It Important? - ICANN


Simple as that

Thanks for reading.

 

[ForgottenSeer 55474]

Thanks For Sharing,interesting reading

 

[Overkill]

Which DNS resolver do you use/recommend? Do you use the secondary resolver?

 

[Deleted member 178]

at the moment the second isnt working.

i picked Cloudns and dnscrypt.org

 

[Av Gurus]

Happy user for some time

 

[Deleted member 178]

yep me too for quite a long time ^^

 

[shmu26]

is this needed on a trusted home network, or only for public WIFI situations?

 

[Deleted member 178]

everywhere.

 

[shmu26]

doesn't chrome sandboxing of processes take care of this issue, in a large part? Or am I confusing two different things?

 

[Deleted member 178]

@shmu26 let me explain simply.

Whatever you do on your computer , when you access internet you send packets of datas, which will pass between routers/relays/networks until they reach the destination you want (server/website/computer). Then you will get a response, from the destination.

Now let say i want to know what/where/who you are communicating, all i have to do is to take over one of the relay between you and the destination, since you have no access to those relays , you can't protect it. Now that i have access to the relay i can reconstruct the datas and read (Eavesdropping) what you are communicating, i can even modify the content to my needs.

you have a good example here: Man-in-the-middle attack - Wikipedia

 

[Duotone]

Great info Umbra I've also used that for some half a year I think, but it cause some problem back then...Going to try it again!

 

[shmu26]

@shmu26 let me explain simply.

Whatever you do on your computer , when you access internet you send packets of datas, which will pass between routers/relays/networks until they reach the destination you want (server/website/computer). Then you will get a response, from the destination.

Now let say i want to know what/where/who you are communicating, all i have to do is to take over one of the relay between you and the destination, since you have no access to those relays , you can't protect it. Now that i have access to the relay i can reconstruct the datas and read (Eavesdropping) what you are communicating, i can even modify the content to my needs.

you have a good example here: Man-in-the-middle attack - Wikipedia

thanks, Umbra!

 

[RedTeam]

Sadly DNScrypt will save you from MiTM attacks. What it does do is give more privacy from your ISP.

MiTM attacks are very hard to defend against because the attacker is most likely using stolen certificates and has control over fiber backbones.

Using a browser that has good security can help. Firefox and Chrome will alert you on stolen and forged certificates.

 

[XhenEd]

How do I know if DNSCrypt through Simple DSNCrypt is working? I think it's already enabled, but I'm not sure if it's really working.

Edit:
Nevermind. I just found out that my DNS server changed to 127.0.0.1, instead of the default.

 

[Vipersd]

Very informative, I presume this tool can be used together with other software like MBAM or ZAL with their real time protection enabled without conflicts.

 

[Azure]

Very informative, I presume this tool can be used together with other software like MBAM or ZAL with their real time protection enabled without conflicts.

The only problem is ZAM/ZAL detecting the change as a DNS hijack. But simply excluding that detection after a scan is enough.

 

[HarborFront]

How do I know if DNSCrypt through Simple DSNCrypt is working? I think it's already enabled, but I'm not sure if it's really working.

Edit:
Nevermind. I just found out that my DNS server changed to 127.0.0.1, instead of the default.

Same as mine. Is pointing to 127.0.0.1 correct or is there something wrong?

Thanks

 

[XhenEd]

Same as mine. Is pointing to 127.0.0.1 correct or is there something wrong?

Thanks

That is correct. If you use DNSCrypt, your DNS should change to that.

 

[HarborFront]

That is correct. If you use DNSCrypt, your DNS should change to that.

Hi

I understand that the server will change its settings to 127.0.0.1 and 127.0.0.2 which is expected

So, if I want to use another DNS server will Simple DNSCrypt reverts the DNS server's settings to 127.0.0.1 and 127.0.0.2? If yes, then how to go about in resolving this?

Thanks

 

[XhenEd]

Hi

I understand that the server will change its settings to 127.0.0.1 and 127.0.0.2 which is expected

So, if I want to use another DNS server will Simple DNSCrypt reverts the DNS server's settings to 127.0.0.1 and 127.0.0.2? If yes, then how to go about in resolving this?

Thanks

I'm not sure, actually, as I don't use it anymore. @Umbra might be able to help.