Certificates play an important role in detecting a MiTM attack, for the reason that the cybercriminal will need to re-encrypt data with a certificate different from that registered to the web-based service. Web browsers today are very good at alerting the end-user to such a mismatch.
How does this pertain to your local network? Because it is not difficult to redirect traffic from any computer on a LAN to MiTM computer for inspection, and then forward on to the original destination. This may be referred to as an ARP attack, ARP spoofing, ARP poisoning – search on any of these terms to find copious and technically specific information. Fundamentally, this comes down to these basics:
• As part of setting up a network connection, every computer / network card sends an ARP broadcast requesting the hardware (MAC) address assigned to the desired destination IP address.
• The ARP broadcast is transmitted by the network switch to every switchport on the same VLAN.
• That computer / network card to which the IP address is bound receives the ARP broadcast and replies with its MAC address.
• The ARP reply is received by the originating computer and listed in its local ARP cache.