How to prevent (or warn) man in the middle attack? (Mendix application hosted in the Mendix Cloud)

We want to give a warning  to the user (or block his login) when there is a MITM that is trying to incercept traffic when someone is connected with a open WIFI. Is it possible to detect "MITM" by javascript in a browser or do I have to do something with a certificate? We host a application in the Mendix Cloud and a Pentester discovered that it is possible to do package ‘sniffering’? and intecept data. We also use a hybrid Phonegap app. Do I also have to add something to the config.xml of the phonegap package to do this check for the Hybrid app. Or is enough to use a certficate? Thanks for your help. Regards Cillus
2 answers

If you deploy in the Mendix Cloud, you are connecting over https: the Mendix cloud does not allow http connections. This prevents man-in-the-middle attacks. Furthermore, since the connection is encrypted, packet sniffing on the network can't be done (well, you can sniff the packets, but you can't decrypt them). I would be suspicious, although intrigued, by a pentester who made those claims and I would double check his claims.


Furthermore, since I would classify this as a security risk, I would escalate this to Mendix and let them solve it, instead of looking for advice on the forums.


There is a SSL certificate checker for PhoneGap.

I can try to implement this.