A Man-in-the-Middle (MITM) attack is one where the attacker secretly positions themselves between two communicating parties — user and server, two devices, two organisations — and intercepts, reads, or modifies the traffic without either party knowing. From the victim's perspective, communication looks normal; from the attacker's perspective, every message is visible. Classic examples: an attacker on coffee-shop Wi-Fi reading your bank login, ARP spoofing in a corporate LAN, evil-twin Wi-Fi access points, real-time phishing toolkits (Evilginx, Modlishka) that bypass MFA. MITM is the underlying mechanism of many other attack types — credential theft, session hijacking, transaction fraud.

Six common MITM techniques: (1) **ARP spoofing** — local network attack, fakes MAC-to-IP mapping, redirects LAN traffic, (2) **DNS spoofing / poisoning** — corrupts DNS responses to redirect victims to malicious sites, (3) **Evil twin Wi-Fi** — rogue access point with same SSID as legitimate Wi-Fi, victims auto-connect, (4) **SSL stripping** — downgrade HTTPS to HTTP at attacker's proxy (foiled by HSTS), (5) **Real-time phishing relay** — Evilginx, Modlishka relay credentials and MFA codes to legitimate site in real time, defeats SMS-OTP and TOTP, (6) **BGP hijacking** — internet routing attack redirecting entire traffic flows; rare but devastating (China Telecom 2010 hijacking US traffic, AWS Route 53 incident 2018). Modern attacks combine multiple techniques.

Modern phishing kits like Evilginx2, Modlishka, and Muraena act as a transparent reverse proxy between the victim and the legitimate site. Workflow: (1) victim clicks phishing link, (2) lands on attacker's site that perfectly mirrors the real one, (3) victim enters username, password, MFA code — all relayed in real time to the legitimate site, (4) legitimate site authenticates and issues a session cookie, (5) attacker captures the cookie and uses it directly, bypassing MFA. This defeats SMS-OTP, TOTP authenticator apps, push notifications, voice OTP — every MFA method that can be relayed. The only reliable defence is **phishing-resistant MFA**: FIDO2 hardware keys, passkeys, WebAuthn — these bind to the legitimate origin and refuse to authenticate against the phishing site.

Layered defence: (1) **Encryption everywhere** — HTTPS/TLS for web, mutual TLS for service-to-service, encrypted DNS (DoH/DoT), end-to-end encryption for messaging (Signal, modern WhatsApp/iMessage), (2) **HSTS (HTTP Strict Transport Security)** — browsers refuse downgrade from HTTPS to HTTP; HSTS preloading even more secure, (3) **Certificate pinning** — apps and browsers pin specific certificates, refusing to trust new ones (used by mobile banking apps, sensitive applications), (4) **DNSSEC** — cryptographic signing of DNS records, (5) **Phishing-resistant MFA** (FIDO2, passkeys) — defeats real-time relay phishing, (6) **VPN on untrusted networks** — coffee shops, hotels, airports; modern alternative: ZTNA, (7) **Network controls** — Dynamic ARP Inspection, port security, 802.1X, network segmentation, (8) **User awareness** — recognise typosquatted URLs, certificate warnings, suspicious Wi-Fi names.

Less dangerous in 2026 than they used to be — because most websites and apps now use HTTPS by default, which encrypts content even on hostile Wi-Fi. The remaining risks: (1) **Evil-twin Wi-Fi** — rogue AP impersonating a legitimate hotspot (Starbucks_FREE, Hotel_WIFI); auto-connect to an attacker's network, (2) **DNS hijacking** — attacker's Wi-Fi serves malicious DNS, redirecting to phishing sites, (3) **TLS downgrade attempts** — old browsers/apps may accept invalid certificates, (4) **Captive portals** — fake login pages can be perfect MITM bait, (5) **Apps using HTTP** — increasingly rare but still exists. Recommendations: (1) Use a personal hotspot when possible, (2) VPN/ZTNA for sensitive activity (banking, work), (3) HTTPS-only mode in browsers, (4) Disable Wi-Fi auto-connect, (5) Forget unknown networks after use.

BGP (Border Gateway Protocol) is the routing protocol of the internet. Networks announce which IP ranges they own; other networks accept and forward those announcements. BGP has weak authentication — a malicious or misconfigured network can announce ranges it doesn't own, causing traffic intended for the legitimate owner to flow through the attacker. Famous incidents: Pakistan Telecom blocking YouTube globally (2008), China Telecom 18-minute global routing leak (2010), AWS Route 53 hijack stealing $150K cryptocurrency (2018), Russia hijacking US military and tech traffic (2022). Defences (slow rollout): (1) **RPKI (Resource Public Key Infrastructure)** — cryptographically signs route announcements; major networks now drop unsigned/invalid routes, (2) **BGPsec** — fully secured BGP, less deployed, (3) **Mutually Agreed Norms for Routing Security (MANRS)** — voluntary commitments. End users can't directly defend against BGP hijacking — but TLS/HTTPS still encrypts content.

Yes, but not always easily. Detection methods: (1) **TLS certificate validation** — browsers warn on invalid certificates; apps with certificate pinning detect MITM attempts, (2) **HSTS preload** — browsers refuse to connect over HTTP even on first visit, (3) **DNS-over-HTTPS** — encrypted DNS prevents tampering, makes anomalies more visible, (4) **Network monitoring** — anomalous gateway changes, unexpected ARP traffic, certificate changes (NDR tools, Wazuh, OSSEC), (5) **EDR/XDR** — detects credential dumping after MITM-driven credential theft, (6) **User reports** — certificate warnings, slow connections, unexpected disconnections. For organisations: regularly audit Wi-Fi access points, monitor BGP route announcements (BGPmon, ThousandEyes), enforce HSTS preload, deploy phishing-resistant MFA.