When you enter ExpressVPN.com into your browser bar, your computer looks up the physical address of ExpressVPN.com in a global database called DNS, which is kind of like a phone book for websites.
These global databases are mirrored across different servers around the world, and one is often situated very close to your present location, wherever you are.
Domain Name System Operators
Your local telecommunications provider probably maintains such a DNS server. Google, ExpressVPN, and others also run their own DNS services, although for different reasons. Google wants to know every single page that you navigate to while ExpressVPN runs the service to protect your privacy and increase your browsing speed.
There are also other, free DNS services that promise privacy and censorship resistance, like the Open NIC Project.
Man-in-The-Middle Attacks
The DNS server is the first possible entry point of a man-in-the-middle-attack. There is no way of knowing whether the DNS server is returning the correct IP address, so it’s possible you might end up on the wrong server, or the server of the attacker, when you type in a web address.
A man-in-the-middle attack theoretically explains a very specific attack in which the attacker sits between the two victims (in this case, you and the server). Both sides are victims because both sides are tricked into thinking they are communicating directly with each other when in fact they are talking through a third party, the attacker.
Of course, in reality, a man-in-the-middle attacker does not have to be a man or even a single person. It could be a group of people, but it’s most likely simply a piece of software.
Imagine being victim to such an attack. The attacker could read all your Internet traffic, including any passwords you enter onto a website, and all the emails you type. This would be a disaster, so how can we have a secure and functioning internet when vulnerabilities like this exist?
Hypertext Transfer Protocol Secure and the Green Lock
The answer to the problem is HTTPS (Hypertext Transfer Protocol Secure).
HTTP stands for Hypertext Transfer Protocol and was developed in the 1990s. Since 1997, HTTP has been the de-facto standard to exchange structured text — I.E. websites — across the web.
HTTPS significantly improved the security of HTTP in the late 2000s. The S stands for secure, and currently, relies on two main protocols for encryption: SSL (Secure Sockets Layer) and TLS (Transport Layer Security), though the former is on its way to becoming redundant.
HTTPS does two things: It encrypts the traffic between you and the site you are visiting, and it provides you with authentication that the site you are visiting is really the site you intend to visit. You can tell if a site uses HTTPS, as a green lock will appear in your browser bar.
To achieve this, the owner of the site is required to register their encryption keys with a Certificate Authority (CA). The keys and registrations are made public to ensure that if a certificate is issued incorrectly, the owner can easily find out, as happens to Google frequently.
You can look up anybody’s CA certificates using Google’s online transparency tool, simply by typing in their URL.
So as long every site uses HTTPS, and as long as we check each site we visit for the green lock in the browser bar, we are theoretically safe from these man-in-the-middle attacks.
If we navigate to a new site and find that the connection is not being encrypted (no green lock), it is impossible to know if the site doesn’t support encryption (in which case we might publicly shame them and avoid them until they do), or whether we are victim to a man-in-the-middle attack.
Even if a site requires you to connect to their site through an encrypted channel, a man-in-the-middle attack might encrypt the connection, leading the site to believe everything is fine, when, in fact, the connection between the attacker and the user remains unencrypted.
HTTP Strict Transport Security Is a Higher Level of Security
To protect against this, ExpressVPN and many others use something called HSTS (HTTP Strict Transport Security).
When you first connect to an HSTS website, the website instructs your browser to only ever connect through HTTPS in the future, and never connect through any unencrypted means. This only works, however, if the first time you connect to the site you are not already being attacked.
Some popular, high-profile websites do go a step further and have convinced developers of major browsers to include a special rule into their software to ensure that even a first-time connection is made over an encrypted channel.
HTTPS Everywhere for Your Browser
The Electronic Frontier Foundation has released a clever tool called HTTPS Everywhere that allows you to set rules for all the sites you visit and forces your browser to only use https. This makes it far less likely that you accidentally overlook a man-in-the-middle-attack.
HTTPS Everywhere is an extension to your browser, and it works with Firefox, Chrome, and Opera. You can even set a rule that blocks all connections made with HTTP, although sadly this makes many sites unusable.
Encrypt Chat and Email Protect from Man-In-The-Middle Attacks
Man-in-the-middle attacks are not limited to browsing. They are a threat wherever encryption is used, for example, email or chat messaging. In encrypted chat and email the strategy of the attack is similar to that of web browsing, but the defense is slightly different.
Off-the-record Messaging (OTR)
OTR is a protocol that allows for strong encrypted chat conversations between individuals. When OTR chat is initiated, encryption keys are exchanged between the users. If an attacker places themselves in the middle of two users, they could set up two separate encrypted chats with the two victims, making them believe they are talking directly to each other.
As Certificate Authorities don’t exist for chat apps, the two users need to verify their keys manually to ensure they are indeed talking directly to each other. They can do this by listing their keys on their website, business card, or communicating it over any secure channel that the attacker would not have access to.
Pretty Good Privacy (PGP)
PGP is the gold standard in encryption. It is used to encrypt text, emails, and files. It can also be used to verify the integrity of any kind of data.
Since anyone can create a PGP key, an attacker might simply distribute a key in the name of an intended victim. Now, if anyone tries to communicate with the victim, they actually end up communicating with the attacker, who will forward the messages to the victim. Both parties think that since they are using PGP, they are secure, but instead they are outright sharing their messages with the attacker.
PGP keys are commonly uploaded to keyservers, where they become publicly visible. To defend against false keys, PGP uses a feature called key signing. This works by getting several of your colleagues and trusted friends to sign your key. Working on the principle everyone on the internet is connected through less than four people, it’s likely that someone you trust has signed a stranger’s key.
In practice, however, keys are not commonly signed, and you will still need to rely on authenticating your chat partner yourself.
Other Encrypted Chat Apps
Some chat apps, such as Signal and Telegram, allow you to verify the fingerprint of your conversation partner and, therefore, have some mechanism to detect man-in-the-middle attacks.
Other encrypted message platforms, such as iMessage and Whatsapp, do not have these features. They leave you in the dark about such attacks, so you are forced to rely on the service to defend you, somehow.
It’s Important to Protect Yourself from Man-In-The-Middle Attacks
Checking that the sites you visit are using sufficient encryption is the only effective defense against man-in-the-middle attacks.
For sites you regularly visit, the HTTPS Everywhere extension will make sure every time you connect to the site, it is over an encrypted connection. Doing so ensures an attacker cannot trick you into entering information to a server that merely impersonates the server you wanted to be connected to.
When the green lock is missing, under no circumstances should you enter any personal information such as email addresses or passwords. If there is no green lock on display, try again later, connect through a VPN. Or reach out to the website operator.
Featured image: Vladimir Koletic / Dollar Photo Club
HTTP: Melpomene / Dollar Photo Club
Chat: Gstudio Group / Dollar Photo Club
Originally published at Home of internet privacy.
