How to detect an SSL Man-in-the-middle attack

Привіт Люба

this week’s paper by Facebook Research is a bit dated (2014) as you also feel when reading through it (as it uses Flash Player as research ground), but nevertheless I learned quite a bit about how to perform and also detect an SSL Man-in-the-middle attack. In comparison to other approaches, the researcher in this paper was able to detect malicious SSL certificates without adding additional software to the browser. (TIL: Flash supported raw sockets)

Nice start into the world of SSL security and even though it’s age, I consider this a great article and a worthy read.

Software exists to create business value

I am Simon Frey, the author of the Weekly CS Paper Newsletter. And I have great news: You can work with me

As CTO as a Service, I will help you choose the right technology for your company, build up your team and be a deeply technical sparring partner for your product development strategy.

Checkout my website to learn more or directly contact me via the button below.

Simon Frey Header image
Let’s work together!


The SSL man-in-the-middle attack uses forged SSL certificates to intercept encrypted connections between clients and servers. However, due to a lack of reliable indicators, it is
still unclear how commonplace these attacks occur in the wild. In this work, we have designed and implemented a method to detect the occurrence of SSL man-in-the-middle attack on a top global website, Facebook. Over 3 million real-world SSL connections
to this website were analyzed. Our results indicate that 0.2% of the SSL connections analyzed were tampered with forged SSL certificates, most of them related to antivirus software and corporate-scale content filters. We have also identified some SSL
connections intercepted by malware. Limitations of the method and possible defenses to such attacks are also discussed.

Download Link:

Additional Links:

Weekly in-depth computer science knowledge to become a better programmer. For free!
Over 2000 subcribers. One click unsubscribe.