Hi all, I am working on a study project around mitigation strategies to protect against man in the middle attacks and would like some advice around how FireFox deals with detecting a new network adapter and an update of routes on the local host whilst FireFox is running. My study project involves connecting a small (malicious) device that configures ethernet over USB, this device also runs a web server, a DHCP server and a DNS server to essentially perform a man in the middle attack. When the device is connected a DHCP address is issued to the ethernet over USB device and the subnet mask on the victim is set to route all ipv4 addresses to the malicious device, the device also spoofs all DNS queries on the fly to route to the device this ensures that all traffic is routed to the device. This ultimately provides a method for any HTTP request from the browser to hit the device, the device responds with html content containing a malicious script. Many websites frequently make HTTP requests without intervention, such as an advert, and so this attack can run automatically. For my testing I have used a range of browsers and in each scenario I open 2 tabs, one standard http page and another http page that has an auto refresh capability built in via refresh javascript to refresh the page every 60 seconds. I set up the two tabs and leave them open, then plug in my device. In the case of Internet explorer, Chrome, Edge and Safari the man in the middle attack works automatically without any issues. But for FireFox it does not, the web page continues to refresh as normal even though the local OS thinks that the device is where the website resides. I can confirm this by using ping, looking at local routes and running wireshark, in the case of Firefox even after connecting the device I can see all HTTP requests still run over the wireless interface. I check FireFox developer and also disable cache. Yet in all other browsers the http request runs over the device I connect and all http traffic ceases to run over the wireless interface. If I manually refresh the page or open a new http page in FireFox the traffic routes to the device. If I set Firefox to offline and then online whilst leaving the auto refresh page open the HTTP request will route over the device, so this to me seems like some sort of caching. I have tested this on 2 x Macbooks and Windows 7 (testing only :-)) and Windows 10 and have the same result. To try and resolve I have turned off DNS prefetch and also looked at the network settings and changed each proxy option, currently I have it set to no proxy. I also searched for similar articles and read this article, which is seemingly relevant but did not solve my specific use case. https://daniel.haxx.se/blog/2014/09/26/changing-networks-with-firefox-running/ I am not interested in a fix, but I am interested to understand why this happens and if this is actually a specific feature within FireFox and any other useful information around this specific scenario. Thanks a lot for reading