Can man-in-the-middle attacks affect anyone not connected to the attackers network?

Question

I'm trying to understand what these attacks are restricted to. I'm aware that man-in-the-middle attacks can be done if the attacker is on the same network (using something like Wire Shark), but is it possible for someone to snoop on in on traffic when we're not connected to the same network? e.g. Connecting to Facebook, from a home network, only myself on the network, using SSL.

On my own website, we had a login form that didn't have SSL. Would it have been possible, without anyone having access to the server that the website is hosted on, for someone to obtain my login information?

If anyone could reference me to some good books or in-depth explanations that would be much appreciated.

Thanks!

Answer 1

Man-in-the-middle attacks can be done by hijacking DNS so that it does not give the real IP address of a host but an IP controlled by the attacker. A typical case of hijacking DNS is by changing the DNS settings in the router. One way to do this from outside of your local network is a CSRF attack. These kinds of man-in-the-middle attacks are done for years and in-mass, see the mass-hijacking of routers in brazil 2012.

Of course another way to snoop the traffic is to employ malware which can be easily distributed through phishing mails or malvertisment. This malware then could inject itself into the browser and do a man-in-the-browser attack to sniff and modify unencrypted and also encrypted traffic.

Answer 2

Your ISP can engage in MITM attacks even if you're using SSL!

First, you ISP controls your access to the Internet, so it doesn't need to engage in a DNS attack, although it could. Rather, it could simply route (as in Layer 2 or Layer 3 IP routing) any and all traffic to a server in the middle (think proxy server without the proxy settings in your browser).

Next, your browser, like most browsers, is probably fairly liberal when it comes to CA root certificates. That is, it may have dozens or hundreds of root certs. A handful of these are quite trustworthy, a few dozen are mostly trustworthy and some are downright disastrous. If your ISP (or any MITM attacker) can obtain a server certificate from one of these borderline CAs (not terribly difficult), they can create what appears to be a secured SSL session with you (your browser has the fancy lock icon). However, in classic man-in-the-middle style, the SSL session terminates at the middle server. That server creates a second SSL session with the legitimate backend server. Neither end party is the wiser.

What does this mean? All traffic (usernames, passwords, bank accounts, etc.) passes through the first secure pipe, into the clear at the application level of the middle server (to be captured and later reviewed) and then back into the second secure pipe.

Whoops! MITM attack and you'd never know. Could this happen? Rogue employee at ISP. Or, perhaps a foreign country (could be a friendly foreign country) decides to snoop on your corporate email via this method.

Your best defense is to remove most of the root certificates from your computer, whether it's via the browser or some other key store or both. If you don't need it or know it, why trust it? The whole point of PKI root certificates is to only use the ones you trust.

I actually think this is more realistic than a DNS attack. Plus, the DNS attack still has to appear as a legitimate SSL session which means getting a valid SSL server certificate. However, I have no real world data for either scenario.

Answer 3

As the name indicates, an adversary would need to place itself between you and your destination (e.g. Facebook) in order to snoop on traffic. How it can accomplish this depends entirely on the attack surface. To answer your question, yes it is possible for an attacker to intercept your traffic without having access to your network. Consider the following scenario: you're connected to the Internet through your VPN. An attacker compromises your VPN via a vulnerability in software running on the server. Your traffic can now be sniffed and manipulated. And as Steffen pointed out, an attacker can possibly gain entry to your network through a vulnerability in your access point or via client side attacks (e.g. browser or plugin exploits / social engineering).