Against SSL Strip — HSTS and HSTS Preloading:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Tells browsers to only ever use HTTPS. Preloading bakes this into the browser before any connection is made — SSL Strip has no window to operate.
Against ARP Poisoning:
Dynamic ARP Inspection (DAI) on managed switches
Static ARP entries for critical systems
VPN with strict certificate verification
Network segmentation — attackers on guest WiFi cannot reach production
Against MitM generally:
Certificate pinning for mobile apps
Mutual TLS — both client and server authenticate with certificates
Certificate Transparency logs — detect mis-issued certificates
Notable cases:
2011 DigiNotar CA compromise — fraudulent certificates for Google, used in Iranian MitM
2015 Superfish/Lenovo — MitM on millions of consumer laptops
2017 KRACK — WPA2 WiFi key reinstallation enabling MitM on encrypted WiFi
2011 DigiNotar: Iranian attackers compromised a Dutch certificate authority and issued fraudulent certificates for Google, Mozilla, and others. These certificates were used to perform MitM against Iranian users — their encrypted Google connections were intercepted by the government. 300,000 users affected before the CA was revoked. The incident led to mandatory Certificate Transparency logging.