How to prevent MITM attack Skip to main content
https://support.okta.com/help/answers?id=9062a000000xaceqa0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Bharat BhaskarBharat Bhaskar 

How to prevent MITM attack

Hi,

I am sending activation link throught email id which inturn is calling after creating user.These are the steps that I am doing:
1. Create User Without Credentials.
2.Activating user with send email set as false.
3.Through my own code I am sending activation link  to the user.
4. After he clicks on activation link it comes to my custom page .
5. After he enters password when he clicks on submit SET Password of OKTA API is fired and the user becomes activated.

The problem with this approach is this to not able to avoid MITM attack, as if someone gets access to user email he will be able to set his credential.What is the best way to avoid this.

Please help in this regard.
Craig ParkinCraig Parkin
Hi Bharat,

There are a few things you can do to mitigate MITM attacks of emails. Some options are easier to implement than others.
 
The best method would be to implement end-to-end encryption of the email message using a Public/Private key method (e.g. PGP). Your application would then encrypt the email using a key that only the user can open. However, this heavily relies on your end-users having the chosen encryption method setup on their email client - something which most are unlikely to have.
 
If you control the environment and the email servers are all trusted, you could ensure that all links (i.e. Your app --> Mail Server --> User's Desktop Client) are encrypted. There are down sides of this. For example, it will likely be unencrypted at some point on the mail server  (i.e. in memory or filesystem). Also, if you are sending between organisations/external mail servers, you cannot guarantee their security.
 
Some organisations have systems designed for sending sensitive information. If one is available for you, this *may* be a potential solution.

Kind regards,

Craig