How to detect man in the middle attack?
Is it possible to detect man-in-the-middle attacks, and if so, how would one go about it? In addition, what if the attack is taking place via connecting into the local network, such as phone lines? Is there any way to detect it?
How to detect man in the middle attack? Depends on the type of system being attacked and the type of attack. Say some sophisticated attacker has gotten control of a router upstream between you and the internet in general and redirects your traffic to fake servers under their control for a MitM (e.g., captures DNS requests and gives phoney replies to their servers, or uses Network Address Translation (NAT)).
Now let's say you go to http://www.facebook.com and get directed to a http login page under the attacker's control. Foreseeably the attacker could throw up a page that mimics facebook's login page, captures your authentication information, and uses that information to connect to the real facebook, and then directs the content from the real facebook to your browser. This could be done nearly seamlessly with the exception of the hidden form post action not being https on the initial login page. Let's say instead your settings are to always use https for facebook, and you went to https://www.facebook.com. The MitM attack would send red flags to the browser, as the attacker will not have a trusted certificate for facebook.com. Granted, many users would ignore these browser warnings (as sometimes they occur for benign reasons like an expired key or an intranet site not using a self-signed key). This all assumes that the attacker has not additionally managed to hack into facebook and get their private certificates OR compromise a CA (certificate authority) to be able to generate phoney certificates trusted by most web browsers OR previously alter your web browser so it trusts/doesn't warn about invalid certificates.
In general with http it is near impossible to detect MitM attacks, but with https your browser should automatically detect and warn you about, unless the attacker has already compromised your system or the system at the other end (including the CA as a system at the other end). Next example: ssh. Again, uses private-public server keypairs to authenticate computers. So if I frequently ssh into my work machine from my home computer, my home computer has recorded and trusted the public key of my work machine (which is kept in a file ~/.ssh/known_hosts). If a MitM attack was attempted when I am connecting from my home machine, ssh would immediately notice that the MitM machine did not have the private key of my work machine and would not let me login (unless I specifically removed the public key from my known_hosts list; which I would only do if say I upgraded to a new machine or changed the server key). Again, MitM attacks over ssh are very easy to detect unless the attacker either already broke into my work machine as root and copied the private key to a his host OR already broke into my home machine and changed the public key for my work machine recorded in ~/.ssh/known_hosts OR its my first time connecting to the server (and I do not have the server in my known_hosts or recognize its host fingerprint).