Researchers may have found way to detect MiM attack

Man in the middle attacks — where an attacker uses forged SSL certificates to intercept encrypted connections between clients and servers –aren’t common.  But if your organization is the victim of one that isn’t very comforting.

So many IT security professionals will be interested in a test by researchers at Facebook and Carnegie Mellon University of a tool for detecting potential MiM attacks by identifying forged SSL certificates.

Using the technique researchers analyzed more than three million SSL connections to Facebook and found 0.2 percent, or 6,845, contained tampered or forged certificates.

(Read the full report here)

Most of the changes were related to anti-virus software and corporate content filters, with only 121 forged by malware and 330 by adware.

The detection technique they used isn’t new, but the fact that it could scan millions of connections means it can be used at scale for corporate Web sites.

The researchers also warn there are limitations.

“It is important to point out that the goal of our implementation was not to evade the SSL man-in the- middle attacks with our detection mechanism. Admittedly, it would be difficult to prevent professional attackers that are fully aware of our detection method.” They think that’s unlikely.

However, they add, “if more websites become more aggressive about this sort of monitoring, we might get into an arms race, unfortunately.”

“Our data suggest that browsers could possibly detect many of the forged certificates based on size characteristics, such as checking whether the certificate chain depth is larger than one,” the study concludes. “We strongly encourage popular websites, as well as mobile applications, to deploy similar mechanisms to start detecting SSL interception.”


Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web