You type in the URL yourself, being sure to start with ‘https’. After loading the page, you check for the lock icon. You click on it, just to be certain, and examine the certificate chain. You look for the root certificate in the chain, and observe that the SSL connection is blessed by Verisign (whom you trust to issue certificates judiciously). You pat yourself on the back for being so savvy, and then go about your private business on the “secure” page.
But how can you be certain that your web browser isn’t a Trojan, simply faking it all? An intermediate router (such as a free wireless access point, or your employer’s gateway) could recognize that you’re downloading Firefox, and promptly send you a Trojan version instead. If that’s the case, your trust in the browser is misplaced, and you have more to worry about than just insecure SSL connections.
Several questions to consider: Did you download your browser over a secure SSL connection? How do you know it was a secure connection? Do you trust your older browser that made that SSL connection? Or alternatively, did you verify the md5/SHA-1 hash of the downloaded binary? How do you know whether the hash you’re comparing it against is authentic? Did you use an “out-of-band” channel to obtain the true hash? Does your operating system have built-in support for secure downloads? Does it verify the download of your browser?
Now, if you’re really paranoid, you have to ask yourself whether you trust the compiler that compiled your browser. See Ken Thompson’s excellent exposition on this topic if you want to turn truly despondent [1].
References
[1] Ken Thompson, Reflections on Trusting Trust. Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763. http://cm.bell-labs.com/who/ken/trust.html
Posted by Apu Kapadia 
