I can't believe everyone got this wrong:
There is only one way certain way to prove ownership, and that is by giving your PRIVATE KEY to that someone.
~snip~
If you want to prove ownership of an address that has funds, you move the funds out first, and give out the private key [...]
Then a malicious actor just needs to gain access to your master public key (xpub) to derive all of your private keys belonging to this HD wallet (non-hardened only).
Signing messages is fine to prove ownership.
1) Having a signed message that belongs to that public hash does NOT prove you have ownership, it's mearly proves to someone, that you possess that signed message, but you might or might not be the orginal actual signer or owner.
[...]
A good real life example of the misconceptions of 1 or 2 is all the OTC scams that take place, where the scammer is a man in the middle but appears to be an owner.
Of course you wouldn't sign a message like "i own this address".
You would include your name, the current date and the reason for signing this message. And eventually even a random token from the person who wants you to prove the ownership.
A MitM wouldn't be useful in any way here.