Grandparent got downvoted to -1 for stating the plain obvious: "Don't be naive. It's so easy to do it without warning. " (..) Remember, it's not just a single hacker, but government that controls whole traffic, that can impersonate not only any domain but any ip they want, they control BGP."
This is ./ so it is to be expected that such true and damning information was swiftly downvoted. I see the reply to that also got downvoted even though it calls the simple truth "shit": "Sorry but you are full of shit, no mystical routing, ip rules or firewalls can remove the warning. The only way to get rid of the warnings are to either get ahold of trusted certificates or to have pwned the client box so you can control the client/MITM connections"
Did you still miss that it is the GOVERNMENT of a major country we are talking about here? Now go take a good hard look at that default list of "trusted" root certificates shipped with all major browsers. And no, using Firefox or Chrome will not help you here.
https is and always was broken by design. It is, and never was, safe against a government adversary and it never will be. You can stick your head in the sand and think "my government lovs me" (that must be why false-flag terrorism is common, why the US has flouride in the water and so on) but that won't change the simple fact that any government agency can simply make a phonecall and get a valid certificate for any damn domain they want and you're none the wiser if you are a target.