Why does this work ?

Cryptography in HTTPS and SSH is based on

public keys cryptography

HTTPS adds trust of public keys certificates

Use of these methods is strongly constraining:

to be more acceptable, degraded modes are available

the client may "blindly" accept the server's key

the client may accept that server may have changed his key

sshmitm and webmitm use those vulnerabilities thus introduced