Abstract Security vendors love the man-in-the-middle attack. It’s the boogeyman of every TLS marketing page. Some shadowy figure intercepting your traffic, reading your secrets, stealing your data. A man-in-the-middle attack is when an attacker positions themselves between two parties on a network to intercept the traffic flowing between them. In the context of TLS, that means an attacker who can present a valid certificate can read everything in plaintext and proxy it on to the real server. But when was the last time you actually heard about one happening? Not a phishing attack. Not malware. Not credential stuffing. An actual man-in-the-middle interception of a TLS connection in the wild. The Verizon 2025 Data Breach Investigations Report analyzed over 22,000 security incidents. Credential abuse accounted for 22%. Ransomware showed up in 44% of breaches. Phishing was in 16%. The “Adversary-in-the-Middle” is less than 4% of incidents, and the vast majority of those are real-time phishing proxies like Evilginx, not someone intercepting TLS connections with stolen certificates. The attack everyone worries about is the one that almost never happens. A stolen private key doesn’t get you very far Let’s say the worst happens. An attacker steals a server’s TLS private key. Maybe they exploited a vulnerability. Maybe they found it in a git repo (please don’t do this). What can they actually do with it? If you’re running any modern TLS configuration, less than you’d think. Perfect Forward Secrecy means a stolen private key can’t decrypt recorded traffic . Not past sessions or any future sessions. The “record now, decrypt later” scenario is dead for any connection using forward secrecy, which is now about 94% of the web . At least until quantum computing becomes a reality. What a stolen key can do is let an attacker impersonate your server. They can present your real certificate, complete a valid TLS handshake, and proxy traffic onward to the real server, without any browser warnings. But there’s a massive catch: To impersonate your server, the attacker has to intercept the connection before it reaches you. They need a man-in-the-middle network position. Getting ‘in the middle’ is the hard part The difficulty of getting “in the middle” of a TLS connection varies enormously depending on where the attacker is and who they’re targeting. The spectrum runs from trivially easy to requiring the resources of an intelligence agency. On a local network, it’s embarrassingly simple. ARP spoofing requires nothing more than a laptop on the same network and a free tool like Bettercap. One command redirects all traffic on that LAN through the attacker’s machine. Evil twin Wi-Fi attacks are just as easy. A $200 pineapple device or a Linux laptop running hostapd can clone any network name and force nearby devices to connect. In 2024, Australian police arrested a man who ran fake Wi-Fi networks on commercial airline flights, harvesting credentials from passengers. These attacks are real, but their scope is measured in meters, not miles . The attacker has to be physically present, on the same network, within radio range of their targets. That’s not a scalable attack against your production infrastructure. DNS hijacking. Compromise a domain’s registrar account and you can redirect DNS queries to attacker-controlled servers. The most notable campaign, Sea Turtle , hit over 40 organizations across 13 countries by going after DNS registries directly. Cisco Talos assessed it as nation-state backed. They didn’t bother stealing private keys. They didn’t need to. They hijacked DNS and got fresh certificates from public CAs. BGP hijacking. BGP is how internet routers decide where to send traffic. It runs on trust, with no built-in authentication. If an attacker controls a router at an ISP or hosting provider, they can announce false routes and reroute traffic through their own infrastructure. In 2018 , attackers compromised a small Ohio ISP, hijacked Amazon Route 53 address space, and redirected MyEtherWallet users to a phishing server for two hours. They stole $150,000 in crypto. The attackers’ wallet already held $27 million. Not a casual operation. Physical backbone taps are pure nation-state. GCHQ’s TEMPORA program tapped over 200 submarine cables . Hundreds of millions of dollars. Cooperation from telecom providers. You’re not defending against this. James Mickens put it best in his essay This World of Ours : you’re either dealing with Mossad or not-Mossad. If you’re not-Mossad, good passwords and basic hygiene will keep you safe. If you are the Mossad, “the Mossad is not intimidated by the fact that you employ https://.” What actually compromises your TLS connections The attacks that actually compromise TLS connections happen at the endpoints. In 2015, Lenovo shipped consumer laptops with Superfish , a pre-installed root CA that intercepted all HTTPS traffic to inject ads. Every affected laptop shared the same private key, protected by the...