First, I'd like to express my appreciation for the SSL Server Test web page. I have been able to send requests for improvements to several web sites, and a couple of them even responded via email and improved their grades. Progress!!!
I'm curious to know how effective the SSL Server Test is at detecting fake web sites? If, as a hypothetical example, a hacker created a lookalike web site with a tricky misspelling (perhaps using "punycode" -- see Look-Alike Domains and Visual Confusion — Krebs on Security), wouldn't they be able to scarf up some valid security certificates for the actual web site URL, such that the SSL Server Test would give the site a grade of A or A+ (maybe "B", although I think "B" is sub-par, and avoid such sites)?