>> In this specific case, the perps broke into the name server at the ISP >> > > Well, they could have actually also hacked the web server itself and > stolen the cert. Usually certs are put up without the private key, so > you can start the httpd without the passphrase question. So, there > wouldn't have been any hurdle to just use it on the fake server as > well.
The web server was at the company site and was well-secured. The customer had no way to know that the name server at the ISP was insecure.
