I just recently posted about Secure Certificates; specifically, noting why it is important to pay attention to your web browser's warnings about them. Two recent stories on cnet offer a chance to illustrate and expand on what I noted therein. First, about the pre-installed "trusted" certificate issuers (Certificate Authorities) and second, about how the address-aware nature of sites protects you, even if a site is hacked in some particular ways.
The Importance of Certificate Authorities
The first story is about companies which serve as Certificate Authorities being compromised; "Second firm stops issuing digital certificates" (link)
The story notes the recent troubles with a Dutch company called DigiNotar. Certificate Authorities (CAs) are highly important entities in providing secure communications over the Internet. When your browser or operating system trusts a CA, it is relying on the information being reported by that CA as being true, just as a bartender must rely to an extent on the information on someones driver's license as being true. This trust of the CA extends in a few directions; You trust that they have taken all reasonable steps to verify that the people who say they are "amazon.com" really are, and you trust that their servers which provide that verification information are secure.
The problem with DigiNotar is that their servers were not secure, and so false certificates were able to be used. This causes a break-down in the whole process. As a result, major browser manufacturers have issued updates which remove DigiNotar as a trusted issuer of secure certificates. Internet Explorer users via Windows Update, and users of Mozilla Firefox and Google Chrome via those browsers' own update mechanisms. As of yet, according to the story linked above, mobile OS manufacturers Google and Apple have not indicated when they will be following suit, but it is expected to happen.
The Importance of Verification
A web server's certificate contains within it private information which can be used to verify that the exact certificate being used was the one that was truly issued. This prevents anyone else from creating a fake certificate that purports to match a true one, and install it on their fake website.
This second story is not about secure certificates, but it helps illustrate my point; "Sites of UPS, Acer, others redirected in DNS attack" (link). The type of attack noted here leaves the original, real site intact, but simply causes web browsers to erroneously load the site from a hacker's server instead of the real one. This same type of attack could be used on your bank's website, for example, to try to trick you into giving the hackers your online banking credentials. Instead of typing your user name and password on the real banking website, you would be typing it on the hacker's website. This is why it's so important for the DNS servers to be properly secured.
But if this type of attack happens to your bank's online banking site, there is still one line of defense built in to the secure certificate system; The actual online banking portion of the site should be secure - and you should verify that by the color of your browser's address bar, or what ever mechanism your browser uses to indicate this fact. Next, you should be able to check the address bar and know that you are visiting the correct domain name (that is the part that this hack attacked). Third, though; due to the verification process, those hackers would not be able to provide the correct certificate for the banking site, so your web browser would report an error, stating that it seems as though the certificate was issued to someone other than the site you are actually visiting.
That sort of issue is why it is important to pay attention to those warnings. If your bank sufferred an attack similar to the one targeted at UPS and Acer, that certificate warning would be the only way you would be able to know something was wrong, and you were not actually visiting the correct website.