How is anything online trusted? The most common way to establish trust, for anything, is through hashing. Online locations apply hashing via certificates issued by a trusted certificate authority. Those certificates can be spoofed just as a destination domain can be spoofed. The strength of security is that it takes extra work to spoof two unrelated things and that the issuing CA is trusted by other CAs and applications. On the web exposure to risk is limited by usually only applying those certificates to the key exchange of TLS. These certificates can be used for more though, like digital signatures on documents.
