I can confirm that, at least up to 1.2, netscape navigator does not do any validation beyond checking the signer of the certificate. Exactly - the trust model used in Navigator 1.1N requires you to trust every single owner of a valid certificate. Getting hold of any key is vastly easier than having to obtain a specific key; in the worst case, you just buy your own - SSL exchanges are repudiable, and a few simple tricks can make sure you cerificiate doesn't show up in the "Document Information" dialog box. Or, since there are is CRLing, accidentaly lose you private key, notify verisni and get a revocation. To detect the attack without using either a modified client, or a nice proxy that checks for you, you must do packet-tracing on all SSL connections, regenerate the exchange, and then review each exchange to look for suspicious certificates.