So uh, should I be concerned at all if my connection came back as a likely MITM from my home network in the US? Or is it most likely a false positive caused by my firewall or something?
I tested it both off a VPN and on a VPN from my iPhone yet still had the same result both times.
If your phone is also used for work, you might have gotten a root certificate installed through their MDM program. Check Settings>General>About>Certificate Trust Settings for a root certificate.
On this machine I get "likely" in firefox, "unlikely" in a firefox private window and "unlikely" in chrome. Not sure what to make of that.
(Also all of the installed extensions are also enabled in private mode. I know that changed recently so I checked. Also the certs the browers claim I'm getting in all three scenarios seem to be the same...)
Probably an outdated implementation of our rules, regarding Firefox on your machine. Feel free to file an issue; also we will be switching to Cloudflare's mitmengine (based on the same research paper, but they have way more resources to keep it maintained at scale, thus making it more accurate) in Caddy 2 in a matter of months.
It also said "Likely MITM" for me (Firefox on CentOS 7), but the SHA256 certificate fingerprint in the browser matches the one seen by Qualys (https://www.ssllabs.com/ssltest/analyze.html?d=mitm.watch), so at least in my case it seems to be a false positive.
iOS is tricky because of its weird rules regarding TLS libraries and web views. If you are sure you haven't any rogue CA certs in your applicable trust stores, it's probably a false positive.
I tested it both off a VPN and on a VPN from my iPhone yet still had the same result both times.