Abstract—The SSL man-in-the-middle attack uses forged SSL
certificates to intercept encrypted connections between clients
and servers. However, due to a lack of reliable indicators, it is
still unclear how commonplace these attacks occur in the wild. In
this work, we have designed and implemented a method to detect
the occurrence of SSL man-in-the-middle attack on a top global
website, Facebook. Over 3 million real-world SSL connections
to this website were analyzed. Our results indicate that 0.2%
of the SSL connections analyzed were tampered with forged
SSL certificates, most of them related to antivirus software and
corporate-scale content filters. We have also identified some SSL
connections intercepted by malware. Limitations of the method
and possible defenses to such attacks are also discussed
more here......https://www.linshunghuang.com/papers/mitm.pdf
certificates to intercept encrypted connections between clients
and servers. However, due to a lack of reliable indicators, it is
still unclear how commonplace these attacks occur in the wild. In
this work, we have designed and implemented a method to detect
the occurrence of SSL man-in-the-middle attack on a top global
website, Facebook. Over 3 million real-world SSL connections
to this website were analyzed. Our results indicate that 0.2%
of the SSL connections analyzed were tampered with forged
SSL certificates, most of them related to antivirus software and
corporate-scale content filters. We have also identified some SSL
connections intercepted by malware. Limitations of the method
and possible defenses to such attacks are also discussed
more here......https://www.linshunghuang.com/papers/mitm.pdf