5

I've heard that not using https is dangerous because of man-in-the-middle attacks.

Now, if I connect to a server from my home computer, I assume traffic passes through my ISP, so they could eavesdrop if they are malicious.

But how can a random IP address "order" my traffic to go through their IP so they can scan it, as well?

Do hackers have the power to just start snooping on traffic between any 2 random IP addresses if they wish to?

sashoalm
  • 587
  • 1
  • 4
  • 12

2 Answers2

3

Government agencies can do so (if they really want to) by using a subpoena on any of the intermediary providers or on any of the end nodes. A "random" IP "somewhere on the internet" cannot just listen in on your traffic. If it can not re-route traffic past himself then there is no chance of eaves dropping onto the connection.

Anyone who has access to your transfer medium can theoretically snoop on your connection. This can be someone who's also connected to the same wireless AP as you or any of the ISPs between you and your end point.

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
  • 3
    What about the modification of Border Gateway Protocol routes? There was an article by Ars Technica recently on how this was done multiple times by unknown entities... – Nasrus Nov 26 '13 at 13:53
  • 1
    BGP routes are also an option, but most of the "unknown entities" are also government agencies. BGP is not really easy to just play around with... – Lucas Kauffman Nov 26 '13 at 13:58
  • 1
    Just for reference, it's this article: http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks-of-internet-traffic-researchers-warn/. Also, I'm thinking that maybe it's possible that a malicious hacker hacks an ISP and changes routes from there. – Nasrus Nov 26 '13 at 14:07
1

Traffic can be intercepted and modified anywhere along its path to the endpoint or you can be tricked into sending data to an attacker who can then forward it for a MITM attack.

Everyone is vulnerable unless they verify the identity of the endpoint and validate the integrity of the data. In other words, use TLS.

Any of the upstream ISPs of your current network are in a position to modify your traffic. I hope you know your 3G, airport, and coffee shop providers well.

Any proxies you connect to can and do MITM you. Workplaces, "private" VPNs, and some countries' governments all do this.

Anyone on your network or anywhere upstream can poison ARP caches to redirect traffic through them.

Rogue networks can try to hijack traffic with malicious BGP announcements. Providers that don't protect themselves can end up routing traffic through a person in the middle.

Anyone can poison DNS on your resolver or any of the resolvers that your resolver may use or on insecure authoritative DNS servers so that a domain name you type in is resolved to a malicious IP address. The traffic is then sent (correctly) to the attacker.

Anyone that can compromise your computer can MITM you in a variety of ways depending on the OS. For example, by modifying the hosts file so that domain names are resolved to a malicious IP or by compromising firmware.

It is a prevalent attack in internet communication; or in any relayed information. The possibilities are endless. Verify endpoints. Encrypt data.

J.Money
  • 141
  • 2