Main things we went over in our group was showing how you can get legit certs from most all of the root CA's for... whatever site. Get one for paypal from verisign... one for gmail from... m$, etc etc. Some of the root CA's automated systems even allow for snagging a 'legit' cert for *. Yeah.... *. Hehe. Ironically, IE is one of the few browsers that won't accept a cert for *. Apparently the developers decided that any cert with * as it's target was probably... not really legit. Suffice to say, getting your own certs for target sites is part of it. I dont' think they set up the full site for this one. It was just showing how you can bump a user from an EV cert to a "legit" if... sketchy DV cert for the same site... and how it is pretty much impossible for them to notice. (A 5 second wait was put in the video on this part to show the green bar turning to blue, then back to green). You then use the MITM attack to pop them to your dv cert, snag the credentials, and then pop them back on their ev certed page that they thought they were still on. The tool automates the process. Someone could sit in a coffee shop with a bunch of certs... and snag creds for tons of various sites that rely on SSL for security.
Our "lodge" is actually doing another little interesting loophole. You can send comodo 200 bucks.... and they will make you a "Certifying Partner". Or something along those lines. Long story short, you can sign certs for others with CA authority. Can anyone say... abuse?
"Bad.. Good? I'm the guy with the gun"