MITM — ikki tomon o‘rtasidagi aloqaga yashirin kirib, trafficni kuzatish, uzatish yoki o‘zgartirish hujumi. To‘liq nomi Man-in-the-Middle. Hujumchi har ikki tomon bilan alohida aloqa o‘rnatib, ularni bevosita bir-biri bilan gaplashyapti deb o‘ylashga majbur qiladi.
MITM credential theft, session hijacking, data modification va zararli content qo‘shishga olib kelishi mumkin.
Asosiy oqim
Oddiy aloqa:
Client ↔ Server
MITM holati:
Client ↔ Attacker ↔ Server
Attacker trafficni relay qiladi.
Agar encryption va authentication to‘g‘ri ishlamasa contentni o‘qishi yoki almashtirishi mumkin.
ARP spoofing
Lokal tarmoqda attacker gateway IP manzilini o‘z MAC manziliga bog‘lovchi ARP javoblar yuboradi.
Client trafficni attackerga yuboradi.
Attacker uni haqiqiy gatewayga uzatib connectionni saqlashi mumkin.
Dynamic ARP inspection va segmentatsiya himoya beradi.
Rogue access point
Attacker qonuniy Wi-Fi nomiga o‘xshash access point yaratadi.
User unga ulanganida barcha traffic attacker qurilmasidan o‘tadi.
Captive portal credential yoki payment ma’lumotini yig‘ishi mumkin.
DNS manipulation
DNS javob soxtalashtirilib client attacker serveriga yo‘naltiriladi.
Agar application certificate’ni to‘g‘ri tekshirsa soxta server aniqlanadi.
Certificate warningni e’tiborsiz qoldirish MITMni muvaffaqiyatli qilishi mumkin.
TLS interception
Korporativ proxy managed qurilmaga ishonchli root certificate o‘rnatib TLS trafficni security maqsadida inspect qilishi mumkin.
Bu nazoratli MITMga o‘xshash architecture.
Private key, access, bypass list va privacy qat’iy boshqariladi.
Personal yoki certificate-pinned applicationlar bilan compatibility muammosi bo‘lishi mumkin.
Certificate validation
Client server certificate’ini tekshiradi:
- host nomi;
- validity;
- trusted issuer;
- signature;
- revocationga oid signal;
- certificate chain.
Validation o‘chirilsa TLS encryption attacker bilan o‘rnatilishi mumkin.
Mutual authentication
Faqat client serverni emas, server ham client identity’ni certificate orqali tekshiradi.
mTLS service-to-service communicationda MITM va soxta client xavfini kamaytiradi.
Certificate lifecycle va rotation muhim.
Session hijacking
Attacker session cookie yoki tokenni olishi mumkin.
Agar connection keyin HTTPSga o‘tsa ham oldin olingan token ishlatilishi ehtimoli bor.
Secure, HttpOnly va SameSite cookie, short lifetime va token bindingga yaqin himoyalar qo‘llanadi.
SSL stripping
Attacker userni HTTPS o‘rniga HTTP connectionda ushlab turishga urinadi.
HSTS browserga ma’lum domen uchun faqat HTTPS ishlatishni buyuradi.
Preload ro‘yxati birinchi connectiondagi downgrade xavfini kamaytiradi.
Data modification
MITM faqat tinglamaydi, packet yoki response’ni o‘zgartirishi ham mumkin.
Masalan:
- download faylini almashtirish;
- bank rekvizitini o‘zgartirish;
- script qo‘shish;
- commandni almashtirish;
- update’ni zararli packagega yo‘naltirish.
Digital signature content yaxlitligini tekshiradi.
API communication
- HTTPS;
- certificate validation;
- request signature;
- timestamp;
- nonce;
- server identity
dan foydalanishi mumkin.
Faqat API keyni plaintext yoki noto‘g‘ri TLS orqali uzatish xavfli.
Belgilar
MITM indikatorlari:
- certificate warning;
- issuer o‘zgarishi;
- DNS va IP nomuvofiqligi;
- gateway MAC o‘zgarishi;
- kutilmagan redirect;
- HTTP downgrade;
- g‘ayrioddiy proxy;
- connection fingerprint farqi.
Managed korporativ proxy ham certificate issuerni o‘zgartirishi mumkin, shu sababli context tekshiriladi.
Himoya
Himoya qatlamlari:
- TLS va HSTS;
- certificate validation;
- mTLS;
- secure Wi-Fi;
- VPN;
- DNSSEC va trusted resolver;
- ARP inspection;
- signed update;
- end-to-end encryption;
- network monitoring.
Incident
MITM gumon qilinsa credential va tokenlar xavf ostida deb qaraladi. Qurilma trusted networkga o‘tkaziladi, sessionlar bekor qilinadi, certificate va proxy configuration tekshiriladi, DNS va gateway holati tahlil qilinadi.
Certificate pinning
Ayrim mobile yoki high-security client ma’lum certificate yoki public keyga ishonchni cheklaydi. Bu user qurilmasiga yangi root certificate qo‘shilgan taqdirda ham noma’lum proxy’ni rad etishi mumkin. Pin yangilanishi va key rotation rejalashtirilmasa qonuniy certificate almashtirish applicationni ishdan chiqaradi.
End-to-end signature
Transport bir nechta proxy orqali o‘tsa ham payload application private keyi bilan imzolanishi mumkin. Receiver signature orqali content yo‘lda o‘zgarmaganini tekshiradi. Bu maxfiylik bermaydi; zarur bo‘lsa encryption bilan birga ishlatiladi.
Captive portal
Public Wi-Fi internetga kirishdan oldin HTTP sahifa ko‘rsatishi mumkin. User certificate warning ko‘rsa login ma’lumotini kiritmasligi kerak. Captive portal tugagach xizmatlar HTTPS va to‘g‘ri certificate bilan ishlashi kerak.
Secure update
Software update package imzolangan bo‘lsa MITM download faylini almashtirsa validation xato beradi. Faqat HTTPSga emas, artifact signature va checksum provenance’iga ham tayanish supply-chain himoyasini oshiradi.
Proxy konfiguratsiyasi
Application system proxy, environment variable yoki PAC faylini avtomatik ishlatishi mumkin. Noto‘g‘ri o‘zgartirilgan proxy barcha trafficni attackerga yo‘naltiradi. Managed qurilmada proxy policy himoyalanadi va noma’lum local certificate hamda tunnel applicationlar audit qilinadi.
Mobile application
Mobile application certificate validationni custom yozsa xato qilish ehtimoli bor. Test muhit uchun “barcha certificatega ishonish” kodi production buildga kirmasligi kerak. Network security configuration va platformaning standart TLS stackidan foydalanish xavfsizroq.
Public key tasdiqlash
Yuqori xavfli tizimlarda server public key fingerprinti deployment konfiguratsiyasi yoki ishonchli boshqaruv kanali orqali tekshirilishi mumkin. Birinchi connectionda noma’lum fingerprintni avtomatik qabul qilish attackerga o‘z kalitini tanishtirish imkonini beradi.
Bog‘liq tushunchalar
Man-in-the-Middle, ARP spoofing, DNS spoofing, Eavesdropping, TLS, Certificate validation, HSTS, Session hijacking, Rogue access point, mTLS