MITM Detection Tools

Uses WebRTC to discover your real IP addresses (including local network IPs and both IPv4/IPv6) and compares them with the IP address the server sees. A mismatch may indicate:

• VPN or proxy usage (legitimate)
• Corporate network gateway
• Potential MITM proxy
• Dual-stack networks: If you have both IPv4 and IPv6, the server might use one while WebRTC discovers the other. This is normal and not a security concern.

Limitations: Many browsers block WebRTC IP leaks for privacy. VPNs legitimately cause mismatches.

Checks if the website's SSL certificate is logged in public Certificate Transparency logs. MITM attackers using self-signed or rogue certificates typically cannot add entries to CT logs.

Limitations: Requires external API access. A sophisticated MITM could potentially use a legitimately-issued certificate for the same domain (via compromised CA or domain validation hijacking). Corporate SSL inspection uses legitimate certificates that may be in CT logs. This check verifies certificate transparency compliance, not certificate authenticity.

Compares your browser's geolocation with the geographic location of your IP address. Large discrepancies may indicate VPN or proxy use. Requires user permission - if denied, this check is skipped.

Limitations: Requires location permission (often blocked for privacy). VPNs and mobile networks legitimately cause large mismatches. IP geolocation databases have varying accuracy (typically city-level at best). Browser geolocation uses GPS/WiFi positioning which can differ from ISP location.

Measures round-trip time to the server. Unusually high latency or high variance may indicate traffic routing through a proxy. Multiple measurements are taken to detect inconsistent routing patterns.

Limitations: Network conditions vary significantly by region (e.g., Australia-Europe connections can have 300-400ms normal latency). CDNs, edge servers, mobile networks, and WiFi congestion all affect measurements. Threshold is set at 1000ms to account for regional differences.

Checks if the domain resolves to the expected IP addresses using public DNS resolvers. Queries both A (IPv4) and AAAA (IPv6) records to verify DNS integrity.

Limitations: DNS can be legitimately overridden (hosts file, corporate DNS, Pi-hole). CDNs and load balancers often return multiple IPs, and your connection may use any one of them. A mismatch doesn't necessarily indicate MITM - it's normal for CDN-backed sites. DNS hijacking attacks could still pass this check if they control authoritative DNS.