Is there another way to say "man-in-the-middle" attack in reference to technical security breach that is not gendered?

There are several gender-neutral names for a MITM attack¹:

• monster-in-the-middle

Since 1989, experts have been arguing that Internet security requires cryptographic protocols, ensuring security against Monster-in-the-Middle (MitM) attackers.
— Cornell University

• machine-in-the-middle

There are known attacks on (D)TLS, such as machine-in-the-middle and protocol downgrade.
— MIT

• monkey-in-the-middle

Although monkey-in-the-middle (MITM) attacks are well-known, little is done to prevent them.
— Educause

• person-in-the-middle (PITM)

TLS depends on public-key cryptography to establish session keys to secure each connection and prevent person-in-the middle attacks.
— Information Sciences Institute

Since (a) you can keep the "MITM" abbreviation and (b) there is a popular analogous game by that name, I suggest "monkey-in-the-middle attack".

It was suggested to use, "On-Path Attacker".

A colleague at work and I were delighted to discover it can also be called a Bucket brigade attack and have used that since!

https://en.wikipedia.org/wiki/Bucket_brigade

I really think "person-in-the-middle" is the only option which satisfies both your requirements. Replacing "man" by "person" is a very standard way to avoid terms which might be perceived as gender-biased (for example "chairperson" can now be found in most dictionaries). Anyone familiar with a man-in-the-middle attack will therefore recognise "person-in-the-middle" as being a gender-neutral modification with no intended change of meaning.

Using something like "manatee-in-the-middle" is a potential barrier to efficient communication IMO. It is quite common to modify existing terms in a similar way in order to describe a specific subtype of the basic scam (such as "hatfishing": a type of catfishing which conceals one's baldness). Consequently the reader, on encountering the term, might expect it to have a subtly different meaning and waste time thinking about the potential connotations of aquatic mammals in this context.

What is the best way to use this terminology and be gender neutral while maintaining communication efficiency?

I would suggest that your original term, "man-in-the-middle (attack)", remains the best fit. It's not true that this can't be considered gender neutral - most dictionaries will confirm that there is a sense of the word 'man' that can stand for any person, e.g. from google: 2. a human being of either sex; a person.

Note that two of the most common "men in the middle" in examples are Eve (here, here, here) and Mallory (here) - i.e. most likely female. These names come from the common cast of characters in cryptographic literature.

Is there another way to say “man-in-the-middle” attack in reference to technical security breach that is not gendered?

There are other ways, mentioned in other answers, but not ways that will be as easily understood. "Man in the middle" is something of a fixed phrase, often abbreviated as MITM.

Variations such as "Monster in the Middle" are fun, but if communication efficiency is a concern, most people are going to find them a distraction. This may of course change over time if "Monster in the Middle" starts to catch on.

Our company has determined that the term "man-in-the-middle (attack)" is non-compliant with our stance on gender neutrality.

I would expect such a company to recommend an alternative term.

You could try "Malicious-In-The-Middle" to keep the MITM acronym.

In traditional cryptography naming, the one who performs the MITM attack is Mallory which will not help because that's a firstname but it fits the M in MITM.

I personally like the Agent-in-the-middle as it sort of fits with a scenario of an intelligence agent intercepting the information. (you'll have to drop the MITM acronym though)

I would like to suggest: Unauthorized Proxy attack.

The attack, of course, is to insert an unauthorized proxy between you and a resource you want to reach. In doing so, the attacker can assume control of some aspects of your communication with that resource, potentially including etc etc.

I cannot say this is a "standard" or "common" use, but it is descriptive, short, and gets to the point without much confusion.

I have picked one answer that I favor above others:

MitM is the MitM.

Thanks to my commenters. They helped me narrow it down.

I would probably go for something completely different and reword it completely while maintaining the meaning.

Call it a "Login interception attack" or an "eavesdropping attack".

After all, "Man in the middle" isn't a computer science term, as you put it; rather, it pre-dates computing by quite some time, and comes from the practice of messages (written on paper) being intercepted in transit. It was used to describe the computing authentication-stealing attack in order to depict a technical concept to a non-technical audience.

What is the best way to use this terminology and be gender neutral while maintaining communication efficiency?

The best way is to use Machine-in-the-middle instead.

You really can't easily replace well-known acronyms in technical writing, which strongly favors MITM. Also, since this term pre-dates computing, updating to Machine-in-the-Middle is more accurate too, as no human could directly carry out this attack in a computer network.

Monkey-in-the-Middle evokes the game, in which the player in the middle is known to the other players, who are actively avoiding passing them the ball. So it misses the sense of a MITM attack, where the existence of the third party is secret.

Why not use a term that describes the situation more precisely?

One could call it an unauthorized intermediary attack, a concealed intermediary attack, or even better, a malicious intermediary attack. An intermediary typically is a go-between or broker that serves as a link between two parties. By default this relationship is voluntary, but this connotation is not sufficiently strong to render a phrase like "malicious intermediary" nonsense. With this type of attack, the attacker adopts an intermediary role without consent for a harmful purpose, for instance by recording communications while continuing to forward them to the appropriate parties. This is precisely what an authorized, well-meaning intermediary might do, except this role has been coopted for a sinister purpose.

Some of the other synonyms of intermediary could also work well here: for instance, the attacker might also be referred to as an unauthorized broker.

As suggested in topo's answer, man-in-the-middle is a fixed phrase and should not be changed.

If your corporation decides that man goes against their gender-neutral policy, you can stick to its acronym and just keep saying MITM (em-eye-tee-em). No one will have trouble understanding this term, and you do a perfect job avoiding the offending word.

Consider replacing the English word “man”, with the Welsh word “man”, meaning “place”. Besides being gender neutral, this better signifies that the location of the attack (the middle) is the focus of attention rather than the agent performing the attack.

You've come to an English-language stack to ask a sociological question

You're received a great many (and quite good quality) suggestions to replace the word "man" in the title "man-in-the-middle." However, every answer posted here (and any answer that in the future could be posted here) is irrelevant unless your company is in a position to change one of the largest, most internationally represented industries on Earth. You can therefore choose anything you want as there is no best answer — but that will come with a price. Whatever you choose will only be useful within the boundary of your own company and at best won't be (at least quickly) recognized outside your company.

Changing phrases in the networking industry might only be second to convincing the English-speaking world to discover a gender-neutral word to replace "history." (Consider how difficult it would be to convince the planet to use the word "ourstory.")

Curiously, considering that most gender neutralization efforts are focused on reducing male-positive references to gender-neutral references, it seems almost like busy work to convert a male-negative phrase like "man-in-the-middle attack" to a gender neutral. many will realize my previous statement has nothing to do with the English language. Indeed, it doesn't. It's sociological. But, so is this question.

Therefore, to fully answer your question: due to the industry confusion any such attempt would inspire, there isn't a better gender-neutral title than what you're using right now.

If your employer is sincerely interested in gender neutralizing this or any other phrase in your industry, they should start, not by asking what phrase to use, but how they would use that effort to engage the industry. Honestly, you would likely generate a lot of positive press by promoting the effort and asking the industry what phrase it would prefer. It might select one of the options here — but you might be surprised that it doesn't select one offered here at all.

To communicate clearly, use the standard phrase or pick another entirely. Trying to modify a common term for political purposes will likely garner more offense than it saves.

tl;dr– The term "man-in-the-middle" is already completely gender-neutral when understood. Those who'd misinterpret "man" as an adult male human are liable to have similar misconceptions about other aspects of the term, so it'd probably be most helpful to address these sorts of misconceptions together.

Specific suggestions:

---

What's a man-in-the-middle (MitM)?

Clarifications regarding a man-in-the-middle (MitM) attack:

1. The "man" is a generic entity.

   • It is not assumed to be singular, human, adult, nor male.

   • In practice, it's usually non-human.

2. The "middle" is a generic position between the endpoints.

   • It is not assumed to be midway between the endpoints.

   • In practice, it's usually not located at equal distances from the endpoints.

3. The "attack" is a generic undesired interaction.

   • It is not assumed to be a physical attack, nor to result in harm, physical or otherwise.

   • In practice, it's often either passive spying or active filtering. Active filtering is often well-intentioned.

For the purpose of this question, we can probably group interpretations of the term into two categories:

1. Interpretations which mistakenly conceptualize the "man" as a singular adult male human.

2. Interpretations which don't make that mistake.

If we changed the word "man" to a gender-neutral alternative, e.g. "person", then:

1. Those who understood that "man" wasn't a singular adult male wouldn't find the new term to be any more clear, as they weren't confused in the first place.

2. Those who misunderstood "man" as a singular adult male would probably still be substantially confused about most of what the term means; merely losing the presumption of the "man" being a male would be a pretty small step in the right direction.

So there'd seem to be two major solution pathways:

1. Leave the term as-is. Those who understand it already understand that it's not gendered, while those who misunderstand it as gendered have much larger conceptual problems to deal with anyway.

2. Choose a new term that substantially addresses the body of misconceptions that someone who'd read "man" as gendered is likely to have.

Assuming you want a new term, then presumably Solution Pathway (2) would be the way to go. So, let's not just substitute something for "man", but rather rework the term entirely to avoid the constellation of related misconceptions that someone who misunderstood "man-in-the-middle" would presumably be disposed toward.

Since the term is already fine in the abstract, the confusion would likely have to be addressed at the level at which it exists, i.e. at the level of overly literal interpretations which are intolerant of overloaded terminology. To address this, presumably we ought to focus on choosing terms which have more literal primary definitions.

Specific points to fix up:

1. Instead of "man", more literally refer to the generic entity in the line-of-communication.

2. Instead of "middle", more literally refer to the property of being a link in a the line-of-communication between end-points.

3. Instead of "attack", more literally refer to the behavior of the intermediary to do something other than blindly pass along a communicated message.

4. Instead of using an abstract term that refers to both active and passive man-in-the-middle attacks, select different terms that more concretely refer to these cases separately.

---

Specific suggestions: For passive man-in-the-middle attacks.

A passive man-in-the-middle attack is when a communication link gets information from the messages it passes.

Simple example: If students pass notes in a classroom, then a student between the note-sender and note-recipient who looks at what the note says is a passive-man-in-the-middle.

Such a passive man-in-the-middle attack might be called:

1. an intermediary spying event.

The passive-man-in-the-middle attacker might be called:

1. an intermediary that spies on communications;

2. a spying intermediary.

---

Specific suggestions: For active man-in-the-middle attacks.

An active man-in-the-middle attack is when a communication link alters information from the messages it passes. This can include inserting fake content or/and removing real content.

Simple example: If students pass notes in a classroom, then a student between the note-sender and note-recipient who tampers with what the note says is an active-man-in-the-middle.

Such an active man-in-the-middle attack might be called:

1. an intermediary communication-altering event;

2. an intermediary communication-tampering event.

The active-man-in-the-middle attacker might be called:

1. an intermediary that alters communications;

2. a communication-altering intermediary;

3. a tampering intermediary.

---

Discussion: Regarding descriptions of "attacks" and "malice".

An attacker is someone who attempts to harm the subject of the attack. They have malice toward that which they intend to harm – by definition, as their intent to harm something is malice toward it.

This can get confusing when we talk about stuff like communication protocols, as someone can attack in one subjective frame but not another.

For example, say you're walking down a sidewalk, when a car swerves and nearly hits you, but someone else shoves you out of the way: did they "attack" you?

• In a sense, yes. By forcibly altering your body without your consent or permission, they've attacked you, in the sense of the you-who-didn't-want-to-be-physically-altered-by-a-stranger-without-consent-or-permission.

• In a sense, no. By saving you from being hit by a car, they saved you, in the sense of the you-who-wouldn't-want-to-have-been-hit-by-a-car.

• In a sense, kinda, but it was okay. Assuming they couldn't have easily saved you without touching/shoving you without consent, then typical social norms would find the good aspect of their behavior to be superior to the poor aspect of their behavior, for a positive net overall judgement.

This gets more complicated when we start talking about online communications because people online adopt many simultaneous identities. For example, when you connect to a bank account, various notions of you desire:

1. to have a secure connection to your bank account;

2. to connect to what you think is your bank's webpage;

3. to not be tricked into connecting to a fake bank site;

4. to not have anyone tamper with your bank account without your permission;

5. to have financial security;

and many more.

So, hypothetically, say a scammer sends you an email that fradulently claims to be from your bank. The scammer wants you to click a link that'll send you to a webpage that looks like your bank's website, because they copied it, but sends your login credentials to the scammer instead. But your country's intelligence services have, without your knowledge or consent, established filtering mechanisms that detect such fraud attempts and then block them. One such intelligence-agent felt guilty about hacking your email without consent, so they ended up stealing your online-banking-credentials instead of the scammer, using them to deposit a bunch of money in your account. So.. did they attack you?

In a bunch of senses, yes: they spied on you, tampered with your communications, and altered your bank account without your permission. All pretty serious attacks! But in a bunch of senses, no: they saved you from having your life wrecked, and gave you greater financial security, as you'd have liked.

So, how do cyber-security experts judge who's an attacker and who's not? They don't!

Not an in overall sense, anyway. Rather, anyone who acts outside of protocol, regardless of their greater intent, is a "malicious attacker" in the context subjective to that protocol. Because they've attacked the protocol, which in the subjective context of the protocol is the thing that'd be attacked by an "attacker". And they're "malicious" in the sense of having acted to harm the intended operation of the protocol.

Long story short, "attackers" and "malicious actors" aren't necessarily references to actions that a normal person would find reprehensible. Rather, in-context, we're talking about relationships to technical protocols and whatnot.