According to the article, the researchers analyzed the behavior of SSL clients(since one has to implement a client in order to be able to communicate with the server in an MiTM); and apparently the implementation by assorted MiTMs is different enough from that of common browsers that they were able to at least estimate.
A client wishing to know has an easier and harder job: easier, because they can inspect the certificate presented to the by the server or agent pretending to be the server(while clients don’t present certs to servers during the process); and while it isn’t hard to inject a cert into the trust store of a platform you control, it is functionally impossible to fake a cert (for modern ciphers that you shouldn’t just run screaming from).
Harder because cloudflare has the advantage of getting to observe about a zillion connections to and from all sorts of things all the time; which is a fantastic platform for statistical inference; while you have one(maybe two if you have a cell data link) data points to work with. In some cases it is still trivial(if IT is watching, they don’t necessarily have any reason to hide, and might even appreciate the effects of visible surveillance, so it would be little surprise to see that not-at-all-sneaky FooCorp LLC Root is the one impersonating re-signing all that traffic); but if the attacker is being sneaky(innocuous-looking or phishing special lookalike root snuck in; or certs from a real; but incorrect, CA used) your only real way of knowing would be to have out-of-band knowledge of what cert you should be seeing vs. what cert you are seeing(and since attacks are likely to be homogenous along organizational lines; you can’t just ask the guy in the next cube or another Comcast customer; you ideally want the greatest diversity of companies, ISPs, nation states, installed security software, etc. you can possibly manage.
That’s a huge pain, and often dubiously practical, which is why “trusted certificates” and CAs are a thing to in the first place: if you just verified the fingerprint of every cert through a separate secure channel you wouldn’t need that; but ‘separate secure channel’ is a tall order(not necessarily quite as bad as “why don’t you just have a trusted agent with a suitcase full of one-time pads handcuffed to him?”; but only slightly less helpful.)
