# Intercepting Network Connections: Unencrypted vs. Encrypted

## Contents
1. Intercepting Unencrypted Connections
2. Intercepting Encrypted Connections
3. Is a Closed Padlock a Guarantee?


## 1. Intercepting Unencrypted Connections

### How can attackers intercept unencrypted connections?

- **Packet sniffing (e.g., Wireshark):** Any device on the same network (LAN, public WiFi) can see all traffic in plaintext.
- **Man-in-the-middle (MitM):** Attacker places themselves between client and server by ARP spoofing or rogue access point.
- **Rogue DHCP/WiFi Hotspot:** Malicious hotspots can intercept HTTP and redirect or capture login forms.
- **DNS spoofing:** Manipulate DNS responses to redirect users to fake sites.


In [None]:
# Simulate why plain HTTP is insecure (do **NOT** run on real network)
# Info: On public Wi-Fi, HTTP requests can be read by anyone with Wireshark:
#      GET /login HTTP/1.1\nHost: site.com\nAuthorization: Basic dXNlcjpwYXNz

sample_http_request = (
    "GET /login HTTP/1.1\n"
    "Host: example.com\n"
    "Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=\n\n"
)
print("UNENCRYPTED HTTP TRAFFIC (sniffable):\n")
print(sample_http_request)
print("Attacker reading this sees the username and password instantly.\n")

## 2. Intercepting Encrypted Connections

### Are encrypted connections immune? No! Some MitM tricks:

- **Fake/untrusted Certificate Authority (CA):** Attacker installs their own CA on the victim's device or enterprise proxy (
SSL inspection").
- **SSL Stripping:** Downgrade HTTPS to HTTP if the site isn't HSTS protected.
- **DNS poisoning:** Redirects users to a copycat HTTPS site controlled by attacker.
- **Malware-in-the-browser:** Installs proxy/root CA to allow interception/decryption all HTTPS traffic.


## 3. Is a Closed Padlock a Guarantee?

> **Statement:** "A closed padlock in the browser bar means that the connection is secure and the domain visited is authentic."

### Evaluation:

- **Padlock = connection is encrypted** between browser and server
- **Padlock does NOT always mean:**
  - The *site* is authentic (phishing sites can get certificates)
  - The organization is who you think it is (lookalike domain, e.g., g00gle.com)
  - The certificate wasn't issued by a fake or compromised CA installed on your system
  - The content behind the certificate is legitimate (it only verifies the cert/public key)

### Real-World Example
- Anyone can register `mybank-support-secure.com` and get a legitimate padlock and certificate for it.
- Victim may trust the padlock, but it's a phishing site.
- Some malware installs its own CA, so the padlock hides the attacker's MitM.


**Summary Table:**

| Symbol   | Connection Encrypted? | Authentic Site? |
|----------|----------------------|-----------------|
| No padlock | ❌                  | ❌              |
| Padlock, green | ✅               | ❓ (sometimes)  |
| EV certificate | ✅               | ✅ (organization validated) |

> **Always check:** The domain name, certificate details, and never rely only on padlock symbol for authenticity.