It's not about the certs. To execute a man-in-the-middle attack the attacker has to literally put themselves in the middle of the route your packet takes to get to github's servers and intercept it.

Sure, there are many ways an attacker can do that. Not trusting your IP transit is kind of the whole reason for encryption in the first place.

1. Various DNS hijacking and cache poisoning attacks 2. three letter agencies in meet me rooms 3. Exploited/hacked routers 4. Wifi hot spots