Timing Analysis of SSL/TLS Man in the Middle Attacks
The authors' experiment revealed that SSL MiTM attacks have timing patterns that could be identified by observing victims. More specifically, the attack tools they analyzed shifted most of the delay to the time between when an SSL handshake was started and when the certificate was received. Additionally, most of the variance in the RTT was eliminated when connecting to sites all over the world due to the MiTM programs accepting TCP connections immediately. They also presented non-timing based methods to reveal when the specific MiTM tools they tested were being used.