Certificate pinning [0] is a common way.

[0]: http://en.wikipedia.org/wiki/Transport_Layer_Security#Certif...

Some people run TACK. Chrome also, IIRC, reports back on when certs have changed and Google can clearly see if there's widespread disagreement on what key is being served to visitors.

How is that going to help? If you've been MITMd then the attacker can intercept your TACK and Google traffic too.

Chrome pins the Google certs, so MITM will only work if you get the user before they've first downloaded Chrome. And then you have to ensure you only ever MITM those clients, or your attack will be detected.

And TACK literally was designed to solve this problem. If the MITM interferes with you communicating to other TACK clients, you detect their attack. If they don't, you detect their attack.