[noselasd]

Of course they can reroute traffic. All they have to do is

* Force every ISP/Telco within their borders to add fake google.com entries to their DNS servers.

and/or

* Force every ISP/Telco to transparently proxy all DNS traffic and provide fake replies for google.com queries

You can even make it easier:

Just hijack IP routing at the borders, such that IP traffic to 209.85.149.99 (and all other google networks) are not routed to the real google servers on the internet, but their own malicious filtering proxies.

Even without involving the ISPs/Telcos, they could transparently hijack and proxy you, for a whole country it might be a rather big task though, but here's what you do:

* Find all the cables carrying internet traffic in/out of your country.

* Bring a shovel, dig up the cables.

* break the cables.

* hook up the cables to your transparent proxy/filtering machinery.

Done properly, all everyone would know know was some lights flickering in the few seconds the cables were broken.

[nitrogen]

I imagine that more sophisticated networking equipment uses something like TDR (https://secure.wikimedia.org/wikipedia/en/wiki/Time-domain_r...) to detect when the cables have changed in length. Some PC BIOSes include a tool that will report the length of attached network cables, whether or not there is a system at the other end.

[lysium]

If they can reroute traffic, why can't the exchange the certificates in downloaded versions of Firefox?

[noselasd]

It'd be a far greater task intercepting all downloads for every browser out there and replace it with a malicious one. Besides, you'd not get to hijack people browsing with the IE that came installed on their PC, which likely outnumbers firefox users.