I see that this page has been indexed by Google but more relevant ones
have not. I suggest you
see my paper on SSL-man-in-the-middle attacks:
http://www.pburkholder.com/sysadmin/SSL-mitm//
Notes:
Web man-in-the -middle attack
An attacker on the client's subnet will spoof DNS to return its own IP for a DNS query
Client will then establish an SSL connection to the attacker, which will return its own cert -- leaving the client to decide whether to accept the self-signed cert or not
Once accepted, attacker relays and inspects/modifies any traffic