With many MITM attacks, you get fake certs. CA pinning would help to fix this: The browser would retain a copy of every cert that it gets in a local DB and if it gets a different cert next time you visit the same domain or if the signing CA is different, it gives you a warning. Carry on at your peril. This kind of attack is mainly the state sponsored threat actor: they have the resources and the clout to persuade a CA operator to sign a bogus cert and\or onsert themselves in DNS traffic.
Ok, so since writing this article, I have discovered Certificate Patrol Firefox plugin, which does exactly what I described above. Just like all most great ideas – someone has had it already! If you use firefox, go grab the plugin.