Reco:
Browsers do certificate validation, "wrong IP address" would be
possible if the third party somehow produced a valid certificate for
wiki.debian.org (you have to be a CA *or* the government to do this)
and faked a DNS record (that's easy part).
One can also do it if one is the person's employer and owns the machine
that the employee is running, no DNS resource record modifications
required, merely the employer as an additional root authority pushed out
via group policy or suchlike and either custom proxy auto-configuration
or transparent proxying at the borders. This has been a known practice
for many years, and there have been for that time a wide range of
products sold to employers for specifically doing this.
* https://technet.microsoft.com/en-gb/library/ee658156.aspx
* http://cookbook.fortinet.com/why-you-should-use-ssl-inspection/
* https://securebox.comodo.com/ssl-sniffing/ssl-inspection/
* https://www.zscaler.com/products/ssl-inspection
* https://www.globalsign.com/en/blog/what-is-ssl-inspection/
... and so on.
