The Man-in-the-Middle Trap

Well before the Internet, Guglielmo Marconi’s company (of radio fame) became the first recorded victim of an electronic Man-in-the-Middle (MITM) Attack.

This happened during a demonstration of the cutting edge invention of radio transmission. A “bad actor” secretly listened to the transmission being sent from Cornwall (West coast of England) to the Royal Institute in London and, without being detected by the Royal Institute, forwarded a stronger signal to London with a revised message that appeared to come from Cornwall.

Today’s Internet attacks can happen in much the same way, with an attacker inserting themselves in the middle of a connection or data transfer, routing all traffic through them. To mitigate this, end-to-end encryption is used. Even then, unless everything is encrypted, including the initial connection, transmissions may not be safe. We saw this recently with a number of preauthorization attacks affecting previously highly trusted protocols like SSH.

Many protocols continue to be developed and improved to prevent MITM attacks: TLS, SSH and the Atsign atProtocol, which not only keeps data private, but also, if implemented properly, can provide non-repudiation (using authentication to maintain the integrity) of data transmission. In other words, you can prove that data came from someone, or something, with cryptographic confidence.

We have seen these huge leaps of progress on the Internet. Yet, it seems that corporations are intent on undoing all this work by installing MITM software and hardware to inspect their employees’ behavior.

Currently, very large brands in the remote access and cloud spaces actively use MITM techniques to offer services and insights into employees behavior. By doing this, a MITM scenario is purposely created which creates a new attack surface. In addition, this attack surface can be used to manipulate employee access data, which can go very wrong for both the company and the employees.

You only need to look at the recent TV series, Mr Bates vs The Post Office, to understand just how wrong this can go. In that example, the Post Office stuck to their belief that their accounting system was infallible, which led to the financial ruin and wrongful imprisonment of their employees. We have also seen this with fingerprints and DNA.

Balancing the need for employee monitoring with privacy, non-repudiation, and legal considerations is crucial. While techniques like CA certificate insertions, bastions, and proxies offer monitoring capabilities, they introduce the risk of opening attack surfaces and the potential for manipulation of the access data.

Atsign’s new way of providing end-to-end security and cryptographic proofs more safely allows implementing corporate policies.

Learn more about how Atsign can protect you—and your data—from MITM attacks—set up a demo today.