Our browsers and computer has a set of root certificates of the CAs. Take an example. VeriSign's root certificate is installed on my machine. So I can trust all the certificates issued by that certificate. If VeriSign has issued 10 server certificates with the same root certificate, communication to all 10 will be trusted.
But what part makes the browser ensure that it is communicating to the server it really intends to; and not with the one (though that server also has a valid VeriSign server certificate) which it does not?
Is it possible that the web server B is configured with the server certificate issued to server A?