Many consumer VPNs install a client, and it would be trivial to ship a new trusted certificate with it.

This is true, but note that, for example, on iOS an application can't do that without prompting. Now, most people would probably hit “Approve” if one of their security products said it was necessary.

> Many consumer VPNs install a client, and it would be trivial to ship a new trusted certificate with it.

A lot of browsers have their own root chain, and also now do certificate pinning, so will (IIRC) only accept specifically designated certs for particular sites (doesn't Google/Chrome/Gmail do this?).

> show the same certificate on every website

Not really, because, you can use on-demand certificate issuance.

Hell, if you really want to, you can even name your certificates the same as existing certificates and the only way to detect the forgery would be to compare the actual public keys (and who does THAT).

I feel like I'm writing an evil roadmap here, but, you can even do multiple root certs with different names and trust them all, do a whole "fake" PKI infrastructure which would be impossible to detect unless you were comparing the actual keys.

> I feel like I'm writing an evil roadmap here, but, you can even do multiple root certs with different names and trust them all, do a whole "fake" PKI infrastructure which would be impossible to detect unless you were comparing the actual keys.

Yeah, just imagine being beholden to some federal statue impropriety (easiest in taxes) and running one of the these vpn organizations...

If and when browsers start requiring pre-certificate transparency logging, anything like this should no longer be possible to pull off, since none of the fake certificates would be able to contain a stapled pre-certificate "signoff" from a trusted CT log.

On the other hand, a lot of VPNs provide proprietary client software (even though all the major OSes have built-in support for the common VPN protocols such as IPSec, L2TP, etc) so they could very well sneak the root cert in there too.