...in the special case of using an https connection though actually I hear that is itself pretty much a built in man in the middle in the person of the certificate issuer plus maybe also people can fake the certificates too.
If you're about to say that for HTTPS, the certificate issuer acts as "man in the middle" then no -- that is blatantly wrong.
With HTTPS, you get a secure encrypted connection to some "entity" running a server. But you don't have any idea or guarantees about who is your communication partner. Now, to help with that, a known and "trusted" other entity certifies that this "entity" actually is what it claims to be. This certificate issuer certifies this by signing the "entitie's" server certificate. In practice, certificate issuer companies are selling that serive for money. It is a well known unofficial fact that many, if not most certificate issuer copanies don't go into mouch trouble for actually verifying the identity of their customers. It is said that oftern there is just a cursory check about the domain registration. Well, this is inofficial knowledge, because, officially, by the terms of law, the certificate issuer guarantees that the identity of your communication partner is "verified".
But this does in no way mean that the certificate issuer is able to intercept a HTTPS communication.
There is another thing. Today, many more elaborate corporate firewalls perform a dedicated man-in-the-middle attack on any HTTPS connection from the general internet to a client within the company. They intercept the connection, decrypt the content, and forward it with another HTTPS connection, signed with the certificate of the firewall proxy. Of course, this triggers a huuuuge alarm in any sensible internet browser. Now, unfortunately, since this practice has become so common, a lot of people routinely click away any "breach of security" alert given by their browser indicating a mismatch on the HTTPS certificate.
...maybe also people can fake the certificates too.
No, it is not possible to fake a Certificate, without again triggering an alarm in the client's browser. But, see above, thanks to improved corporate security measures, we have now trained a lot of people to ignore any such alarm.