Security for Beginners
by Sergey Okinchuk
The Attacker's PathDenial of Service
Topic 30

Eavesdropping and the Man in the Middle

Concept

When Olivia opens her laptop at a café and joins the free Wi-Fi, her messages, logins, and page requests travel across a network that strangers around her are also using. On a shared road like that, who else can see what she sends?

The answer is the worry behind this topic. Someone else on that network can quietly eavesdrop — read the traffic as it passes. Or they can go further and sit in the middle, relaying the conversation between Olivia and the website while reading or changing it, with both sides believing they are talking to each other directly.

Picture an interpreter standing between two people who don't share a language. Both of them trust the interpreter to pass messages faithfully. But a dishonest interpreter could quietly mistranslate, or pocket a secret one side meant only for the other — and neither person would ever know. That is exactly the position an attacker tries to take on the network.

Olivia talks to a website — but an attacker can slip between them
Shared café Wi-Fi
Attacker in the middle — relays every message, can read or change it
One sideOlivia's laptop
Other sideThe real website
With HTTPS encryption, the middle still relays the traffic — but it's scrambled, so reading or faking it fails

Eavesdropping: Silent Listening

Eavesdropping is the simplest version: the attacker just listens. They change nothing and announce nothing. They sit on the same network and copy down whatever passes by, the way someone at the next table might overhear your conversation without you noticing.

This works when a connection is sent in the clear — unscrambled, as plain readable text. The old web protocol HTTP (the rules a browser and a website use to talk) sends pages exactly that way. On plain HTTP over public Wi-Fi, anything Olivia types could be read by someone else on the network. The attacker doesn't break in anywhere; they simply read what was already passing in the open.

Man in the Middle: Active Interception

A man-in-the-middle attack goes a step beyond listening. Here the attacker positions themselves between Olivia and the website so that every message flows through them. They impersonate the website to Olivia and impersonate Olivia to the website, relaying messages back and forth — and reading or altering them on the way.

This is the dishonest interpreter from earlier, now doing real damage. Because everything passes through the attacker, they can do more than overhear. They can change a payment detail, swap a link, or capture a login, while both sides still believe they have a private, direct line to each other.

So the two attacks differ in one key way. Eavesdropping only reads. A man-in-the-middle reads, changes, and impersonates.

Eavesdropping vs. Man in the Middle
Eavesdropping
Reads only. The attacker copies traffic as it passes, changes nothing, and neither side ever notices.
Man in the Middle
Relays, reads, and alters. The attacker impersonates the website to Olivia and Olivia to the website, with full control over what passes through.

Why Does HTTPS Defeat This?

This is the attack the encryption chapters were really about. HTTPS is HTTP with encryption added — the traffic between Olivia's browser and the website is scrambled so that anyone in between sees only meaningless noise.

That alone kills eavesdropping. The attacker can still copy the traffic as it passes, but it is unreadable, so listening gains them nothing.

HTTPS also brings a second defense against the man in the middle: the certificate (from Chapter 5) — a kind of verified ID card a website presents to prove it really is who it claims to be. An impostor trying to pose as the real site can't produce a valid certificate for it, so the browser notices the mismatch and warns the user instead of trusting the fake.

Where It Still Bites

These defenses are strong, but they only protect when they're actually in use and actually heeded. A few gaps keep this attack alive.

If a connection still uses plain HTTP, there is no encryption to scramble it and no certificate to check — eavesdropping and interception both work. And if a browser shows a certificate warning but the person clicks past it, they may be waving through the very impostor the certificate was there to catch.

  • Plain HTTP: no encryption, no certificate — the traffic travels in the open.
  • Ignored certificate warnings: the browser flagged a mismatch, and dismissing it can mean trusting an interceptor.
  • Fake networks: an attacker can run a Wi-Fi network that looks legitimate, then watch everything that joins it.

The lesson isn't a checklist to follow — it's an understanding: encryption and certificates are the machinery that defeats this attack, which is why a connection without them, or a warning brushed aside, reopens the door.

Common Confusions
  • "Public Wi-Fi is safe because it has a password." A shared Wi-Fi password lets you onto the network, but it doesn't wall you off from the other people on it. What actually protects Olivia's data is her traffic being encrypted (HTTPS), not the network having a password.
  • "Eavesdropping and man-in-the-middle are the same thing." Eavesdropping only listens and changes nothing. A man-in-the-middle relays the conversation while reading and altering it, and impersonates each side to the other.
  • "A certificate warning is just a nuisance to click past." That warning can be the exact sign of an interception in progress. It is a defense doing its job — the browser caught an ID that didn't match.
Why It Matters
  • This is the concrete attack the encryption chapters exist to stop — it shows why scrambling traffic and checking certificates were worth learning.
  • It explains the real risk of open networks: the danger isn't the free Wi-Fi itself, it's traffic that travels unencrypted across it.
  • It reframes a certificate warning as a red flag rather than an annoyance — sometimes it is the only sign that someone is sitting in the middle.

Knowledge Check

What is the key difference between eavesdropping and a man-in-the-middle attack?

  • Eavesdropping changes messages, while a man-in-the-middle only listens
  • Eavesdropping only reads traffic; a man-in-the-middle also alters and impersonates
  • Eavesdropping requires physical access to the victim's laptop, while a man-in-the-middle can operate entirely remotely over the network
  • There is no real difference; they are two names for the same attack

Why does HTTPS make eavesdropping on a connection useless?

  • It stops all traffic from ever passing through the shared network, keeping it completely hidden from other users
  • It encrypts the traffic so anything intercepted is unreadable noise
  • It sends the data so fast that no one has time to read it
  • It gives the whole café network a stronger password

Olivia joins café Wi-Fi that required a password. Why doesn't that password keep her data safe from others on the network?

  • Because café passwords are always too short to be secure
  • The password only lets her join the network; it doesn't separate her data from others
  • Because the Wi-Fi password automatically expires and stops working as soon as she finishes the initial connection
  • Because too many other people know the same password

A browser shows a certificate warning when Olivia visits a familiar site on public Wi-Fi. Why is this worth taking seriously?

  • It can mean an impostor is posing as the real site — the browser caught an identity mismatch
  • It only means the website is loading slowly today
  • It is a completely routine message that every secure website automatically shows to users connecting via public Wi-Fi networks
  • It means Olivia's password has expired and needs resetting

You got correct