Detecting a web based MITM attack?

I’ve been looking into ways to detect a Man In the Middle attack, when the client has "duped" into trusting third party CA. Examples of this are, anti-virus applications and corporate firewalls who are now installing their own certificate authorities on the client machines with the intention of performing MITM functionality. And I’m sure that you can think of many other methods to perform this type of "Superfish" attack against consumer devices.

Given that this type of behaviour is now becoming more common, it would be better for sensitive websites (such as online banking) to include additional restrictions as to who can issue certificates. Once solution for this would have been to use the CAA DNS Record to indicate the Certificate Authorities that are allowed to issue certificates. However as has been pointed out in these forums, RFC-6844 falls short of providing any form of certificate validation.

The now deprecated HPKP protocol did require the users to have visited the site prior to the MITM proxy being installed, thus it’s not a reliable mechanism and that’s probably why it was withdrawn.

As far as I can tell the other mechanisms such as Certificate Transparency, CRLs and OSCP, are only useful to verify that a certificate is valid, but they don’t detect if a site is being exposed with a certificate that was issued by MITM proxy.

According to many of the posts on this website, the alternative technology is DNS-Based Authentication of Named Entities aka DANE [RFC 6698]. This can be used to publish the public key of any third-party website. However this has not been widely adopted, partly because this technology is seen as an alternative to the PKI rather than a mechanism to for validating certificate chains. And of-course DNSSEC would need to be extended to every domain to provide verifiable DNS information.

I think that I’ve exhausted every avenue for automatically detecting MITM. But I was wondering if there any other proposals for defending against this type of attack?

Thanks
Paul