I would remind you a ARP poisoning attack works at layer 2 OSI, whilst HTTPS work at layer 5.
Or else, to better pose your problem, your doubt seems to be wether someone listening to the conversation or performing a MitM (man-in-the-middle) attack can compromise the security of an SSL conversation without the user noticing.
The ARP poisoning attack only alters the default route of outgoing packets, as the attack machines poisons the ARP tables of the victims to poses as the router.
SSL technologies complicate proxying it, but the feat is not impossible. In fact, some security products/corporate firewalls implement technology that basically are MitM attacks to be able to listen to HTTPS dialogues and detect malware.
For establishing a successful MitM attack / proxy to a session protected by X.509:
. the user has to be uneducated enough to accept a wrong certificate;
. or you have to fool the user browser the certificate is legitimate.
For that effect either you search for HASH collision in older protocols (i.e. that is way SHA-1 certificates are being phased out), or you install a root certificate of your own in the victim´s computer.
In a corporate setting, normally the AD propagates a root certificate for that effect. Some malware is known also for employing this techniques, and at least a hardware vendor and an AV company were grilled in the public opinion for doing this, the first to be able to insert adverts in your pages, the latter for scanning for viruses at OS level without using dedicated plug-ins for the browser.
Kazakhstan made it to a whole new level, and is doing MitM attacks at country level, via a mandatory root CA that has to be installed in any device using a national telecom connection:
http://thehackernews.com/2015/12/kazakhstan-internet-spying.html
http://www.theregister.co.uk/2015/12/03/kazakhstan_to_maninthemiddle_all_internet_traffic/
This particular technique generates a valid certificate on the fly for the HTTPS requests it intercepts which has as root the ROOT CA installed on the victim.
You have a slashdot thread talking about the technique here:
http://it.slashdot.org/story/14/03/05/1724237/ask-slashdot-does-your-employer-perform-https-mitm-attacks-on-employees
An article from Sophos explaining how the SuperFish attack works in Lenovo´s malware:
https://nakedsecurity.sophos.com/2015/02/20/the-lenovo-superfish-controversy-what-you-need-to-know/
You also can do it in a Unix system:
https://www.roe.ch/SSLsplit
SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections
over both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit
generates and signs forged X509v3 certificates on-the-fly, based on
the original server certificate subject DN and subjectAltName
extension.
So evidently whilst HTTPS is better than nothing, it is not perfect.
It is far more secure to use VPNs when using Internet in more hostile environments, and specially at wifi free hotspots.
As an interesting tidbit, law enforcement has mandatory interception stations in major ISPs, with software/interfaces that implement this MitM attacks and are able to inject corrupted executables/fake OS updates to take control of a victim computer, as documented by the administration/system/operators manuals that were leaked by Snowden or Assange (cant remember)
Link to article and leak of manuals in PDF format
https://theintercept.com/2014/10/30/hacking-team/
Also once and a while, you will see there will be a stink about registrars issuing known certificates like google.com by "mistake", "trainees tests" or because they are hacked. The controversy is that this further undermines the security and trust of SSL, and I would not be surprised wether some of that mistakes are for aiding their own security/intelligence/law enforcement forces to snoop on someone, for instance using google.
