Threat Landscape Overview : MITM

• Understand how unencrypted HTTP traffic appears on a network
• Visually see plaintext data in packet captures
• Compare HTTP (port 80) vs HTTPS (port 443)
• Understand why encryption defeats Man-in-the-Middle attacks
• This is a passive observation lab — no attacking, no exploitation

• Packet capture tools like Wireshark can capture all traffic on a network segment. Capturing traffic that is not yours, or on networks you do not own or have permission to test, may be illegal.
• You MUST: Use your own computer; use your own home network OR isolated lab network; have explicit permission if on school or company network; capture only your own traffic.
• You MUST NOT: Capture traffic on public Wi-Fi; capture other students' traffic; attempt interception, poisoning, or manipulation; try to collect passwords or sensitive data.
• This lab is about learning how encryption protects users, not breaking security.
• Ethical rule: If you do not own it or have permission, do not capture it.

You need: a web browser (Chrome, Firefox, or Edge); an internet connection; and administrative (or root) privileges to capture packets. You also need Wireshark installed. Below is how to download and install it.

We will use intentionally available HTTP-only test sites.

Primary site (recommended): neverssl.com — designed specifically to avoid HTTPS, perfect for demonstration, no automatic redirect. Use: http://neverssl.com

Secondary site (optional for POST testing): httpbin.org. Use http://httpbin.org/get or http://httpbin.org/post

In this part you will capture and inspect unencrypted HTTP traffic using Wireshark.

Open Wireshark. Select your active network interface (Wi-Fi if wireless, Ethernet if wired). Double-click the active interface to begin capture. Packets will start scrolling immediately.

To focus only on HTTP traffic, enter this in the filter bar:

tcp.port == 80

Press Enter. This removes all unrelated traffic and shows only HTTP.

Open your browser. In the address bar, type: http://neverssl.com

Make sure it says http:// and there is no lock icon. Refresh the page 2–3 times. Return to Wireshark.

You should now see packets appear. Look for lines labeled GET and HTTP.

Click one of the GET packets. In the middle pane, expand "Hypertext Transfer Protocol". You should see something like:

GET / HTTP/1.1 Host: neverssl.com User-Agent: Mozilla/5.0...

This is plaintext.

Right-click on one HTTP packet. Select Follow, then TCP Stream. A new window opens.

You will see the full HTTP request, the server response, and all readable text. Everything is visible. This is exactly what an attacker could see if traffic is unencrypted.

Now we demonstrate encryption.

Change the filter to:

tcp.port == 443

Press Enter.

Go to https://google.com (or any secure site).

Click a packet. Instead of readable HTTP, you will see: Transport Layer Security; Application Data; Encrypted Application Data.

Right-click and choose Follow TCP Stream. You will see unreadable ciphertext — random characters. You cannot see passwords, headers, cookies, or content. This is encryption in action.

HTTP (Port 80): Readable — Yes. Encrypted — No. Vulnerable to MITM reading — Yes. Shows GET headers — Yes.

HTTPS (Port 443): Readable — No. Encrypted — Yes. Vulnerable to MITM reading — No (if properly configured). Shows GET headers — No.

Modern browsers often auto-upgrade to HTTPS, warn about insecure connections, and block mixed content.

If HTTP automatically redirects: ensure you typed http://; temporarily disable HTTPS-only mode (for lab only); use neverssl.com (most reliable).

If someone performs ARP poisoning, DNS spoofing, or evil twin Wi-Fi, they could see exactly what we just saw in HTTP.

But if traffic is encrypted with TLS, they see only ciphertext. Encryption defeats passive interception.

Wireshark is a diagnostic tool used by network engineers, security analysts, and incident responders. It is not a hacking tool by itself. The difference between ethical use and illegal use is permission.

Never capture traffic on public Wi-Fi, on networks you do not control, or without authorization.

Students should now understand: HTTP sends data in clear text; anyone on-path can read it; HTTPS encrypts data; encryption prevents eavesdropping; MITM relies on weak or unencrypted channels.

After lab, ask: Why is HTTPS critical on public Wi-Fi? What happens if a website misconfigures TLS? Why are certificate warnings important?

This transitions perfectly into TLS, certificates, HSTS, and secure cookies.