If you're referring to an MITM attack, then the attacker could intercept the connection (establishing SSL under its own certificate) only when attacking the specific target. The target himself would need to notice that the certificate fingerprint changed.