Seriously? My SSL cert costs me $12.99 a year. Though some man-in-the-middle attacks don't require that the attacker have an SSL certificate of his own. Several techniques exist for doing this without the attacker having an SSL cert; there's an SSL renegotiation vulnerability, SSL forging, SSL sidejacking, SSL stripping...

Essentially, at the end of the day, if hackers control your domain name servers, you're totally screwed. SSL is untrustworthy in that instance.
Photo gallery, all about me, and more: