[utefan001]

FYI, if you google mitm check you should see a link to this site. A service provided by the caddy server devs. https://mitm.watch/

[agwa]

Server-side MitM detection doesn't work. It tries to compare the attributes of the TLS connection (ciphersuites, etc.) with the expected attributes of the client software as determined by the User-Agent header.

So you'll get false positives if the server's database of TLS connection attributes is out-of-date, as is happening to several commenters here.

And you'll get false negatives if the MitM mimics the purported client software, which is easy for a malicious MitM to do.

[Animats]

Server-side MitM detection doesn't work.

It should be made to work better. A MITM attach changes the enciphered bits, because it re-encrypts with a different key. So the enciphered bits sent and the enciphered bits received are different. If you can compare a few bits somehow, you can detect MITM attacks.

The early STU-III secure phone displayed a 2-digit number at each end. You were supposed to verify by voice that those numbers were the same. That prevented most MITM attacks.

A web site could send something that says "The first N crypto bytes were 0xa34g", and the browser could check that. An attacker would have to know to fake that to evade the check.

It's possible to make the attacker work very hard to do such a fake. A nice trick would be to have the server send a MD5-type hash of the entire page plus the first encrypted bits early in the web page. Then, send almost all of the web page, but wait a few seconds before sending the last few bytes, which could just be a random HTML comment so rendering doesn't have to wait. To fake that, the attacker not only has to know what to do to fake it, it has to wait for the entire page to transmit before it can send any of the page. So the browser sees a substantial extra delay before the page starts if there's a MITM attack which tries to fake the "first N crypto bytes" check. That's detectable automatically.

It also breaks all caches, so that's a problem.

[yborg]

I get the red page with Firefox Developer Edition with no extensions, Chrome and Safari are green on same machine. I have all of the anti-fingerprinting stuff turned on in FF though.

[alibert]

On my home network, I get the green OK page on my desktop computer on Brave but I get the red `Likely MITM` on my iPhone with latest iOS.

How should I conclude?

[tantalic]

The technique used here currently has a known issue with iOS 13: https://github.com/caddyserver/caddy/issues/2771

[sschueller]

Via wifi or cell?

[alibert]

Same network for both: fixed ethernet on my desktop computer and wifi for the phone.

I tried LTE only and I also get the red MITM page.

Edit: tried my laptop on wifi, green OK

[cmg]

Interesting. I tried on my home WiFi (Comcast) on my Mac - green page (no MITM).

On my iPhone, (AT&T LTE) - red MITM page.

iPhone on my WiFi - red MITM page even with the cellular antenna disabled(!)

Tethered my laptop to my phone - red MITM page.