1. They are actually visiting the real site; Youtube in this case.
2. The communications between the visitor and the site, including passwords and cookies, are encrypted.
Ars Technica shows a screenshot of the fake certificate. It clearly shows that the issuer is Gogo rather than a Certificate Authority (CA) that the browser trusts; hence, the pop-up warning. Unfortunately, Continue reading Gogo Issues Fake HTTPS Certificates