yes, i think that could be possible. if, say, the bluelight code was audited, but only one admin controlled the dns servers (or a 3rd party - hmm... they could even sign the certificate without any of you knowing, wouldnt even need a mole... for some of these people using common dns providers, i wonder how often it happens that some money, threats or manipulations changes hands with the provider and the domain could be verified again and a new psuedo-cert could be issued used for only a few users (i'd hope the certificate authorities are smarter than that... though i rarely check if a cert changes to a different signer), such as the owners of the site themselves - though obviously in that case someone would eventually notice they are being routed to different addresses eventually... though doing it just for a split second to grab their password in plaintext would be more feasable... i'd assume the admins of this site would be checking from time to time and comparing the IP ranges with others, though a rouge admin and a sneakily configured modified load balancer, eh it is a little endless), that is totally feasible to "MITM" you onto a separate, less secure, instance.
in fact, someone with the means to do so, say an rogue employee at cloudfare under bribe or intimidation or nsa contract, i think, could pwn every single bluelight user in a short matter of time using the above method, without a trace...
simply sign a false certificate, set the dns server to route every user to their compromised box, grab their password in plaintext, hit a hook that greenlists that IP to go to the proper server (which this sketchy dns server would be checking against)..
i guess it depends on who you trust more, your fellow admins, or the junky engineers over at cloudfare..
