Man-in-the-Middle Attacks Evolved... but Our Security Models Didn’t

  • Hugo JonkerEmail author
  • Sjouke Mauw
  • Rolando Trujillo-Rasua
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10368)


The security community seems to be thoroughly familiar with man-in-the-middle attacks. However, the common perception of this type of attack is outdated. It originates from when network connections were fixed, not mobile, before 24/7 connectivity became ubiquitous. The common perception of this attack stems from an era before the vulnerability of the protocol’s context was realised. Thanks to revelations by Snowden and by currently available man-in-the-middle tools focused on protocol meta-data (such as so-called “Stingrays” for cellphones), this view is no longer tenable. Security protocols that only protect the contents of their messages are insufficient. Contemporary security protocols must also take steps to protect their context: who is talking to whom, where is the sender located, etc.

In short: the attacker has evolved. It’s high time for our security models and requirements to catch up.


  1. 1.
    Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J.A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Béguelin, S.Z., Zimmermann, P.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of 22nd Conference on Computer and Communications Security (CCS 2015), pp. 5–17. ACM (2015)Google Scholar
  2. 2.
    Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., Adrian, D., Halderman, J.A., Dukhovni, V., Ksper, E., Cohney, S., Engels, S., Paar, C., Shavitt, Y.: DROWN: Breaking TLS using SSLv2 (2016)Google Scholar
  3. 3.
    Avoine, G., Mauw, S., Trujillo-Rasua, R.: Comparing distance bounding protocols: a critical mission supported by decision theory. Comput. Commun. 67, 92–102 (2015)CrossRefGoogle Scholar
  4. 4.
    Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zinzindohoue, J.K.: A messy state of the union: taming the composite state machines of TLS. In: Proceedings of 36th Symposium on Security and Privacy (S&P 2015), pp. 535–552. IEEE Computer Society (2015)Google Scholar
  5. 5.
    Brands, S., Chaum, D.: Distance-bounding protocols. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994). doi: 10.1007/3-540-48285-7_30 Google Scholar
  6. 6.
    Dabrowski, A., Pianta, N., Klepp, T., Mulazzani, M., Weippl, E.R.: IMSI-catch me if you can: IMSI-catcher-catchers. In: Proceedings of 30th Annual Computer Security Applications Conference (ACSAC 2014), pp. 246–255. ACM (2014)Google Scholar
  7. 7.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theor. 29(12), 198–208 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Lowe, G.: A hierarchy of authentication specifications. In: Proceedings of 10th Workshop on Computer Security Foundations (CSFW 1997), pp. 31–43. IEEE Computer Society (1997)Google Scholar
  9. 9.
    Meyer, U., Wetzel, S.: A man-in-the-middle attack on UMTS. In: Proceedings of 3rd Workshop on Wireless Security (WiSE 2004), New York, NY, USA, pp. 90–97. ACM (2004)Google Scholar
  10. 10.
    Möller, B., Duong, T., Kotowicz, K.: This POODLE bites: exploiting the SSL 3.0 fallback (2014)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Hugo Jonker
    • 1
    Email author
  • Sjouke Mauw
    • 2
  • Rolando Trujillo-Rasua
    • 2
  1. 1.Open University of the NetherlandsHeerlenThe Netherlands
  2. 2.University of LuxembourgLuxembourg CityLuxembourg

Personalised recommendations