Subverting http sessions on local networks is certainly a hot, quiet topic for the past year. First (most likely not first, but first for my purposes) was Sidejacking. At Defcon Beale spoke about his tool The Middler doing http fiddling. And now I read about Surf Jacking, which pretty much is an interesting bit of http fiddling.
How do you detect that someone is re-routing LAN traffic? If one knows the expected MAC address of the DHCP/Gateway devices, then one can implement firewall rules or just watch for changing ARPs. If you think someone might be hijacking your http sessions, purposely open an https session with some site and see if their cert is valid. If it is, there’s a decently good chance no one is interested in your traffic. If someone is interested and MITMing you, then the cert should give warnings.
For an enterprise, what do you do? Well, I think the only valuable recourse is to make every laptop VPN into the mothership and browse through it using more trusted services. A user can also inspect cookies to make sure they are encrypted, and try their best to ensure that SSL persists. Even watching wire traffic for weird ARPs can help.
The downside of all of this? It’s not easy being informed and secure. I wouldn’t expect any of my users to understand any of this, let alone actually practice it. This is why I think endpoints and especially public local networks are a dangerous hunting ground right now. These are advanced topics, and the only way to combat such advanced topics are long-term education and technological controls (like bumpers in the gutters of bowling lanes).