If *.instagram.com keypair is the TLS certificate keypair, then they could MITM Instagram. They'd probably need to physically stalk some Instagram employees, but getting the TLS certificate key pair would be the difficult part.
On a related note, what do MS Windows/OSX/Android/iOS/Linux do when they see a WiFi AP with an SSID (and maybe even MAC) they recognize, with a WPA2 key they know, operating without encryption? Will they still auto-connect in the clear? In other words, if an attacker cloned the SSID of someone's work/home network, with a strong enough signal, could they trick devices into auto-connecting to an unencrypted AP?
People do this with public WiFi - for example, set up at Starbucks with a duplicated SSID, wait for target to connect and route it through as if it were connected to the real Starbucks WiFi, all the while monitoring in the middle.
On a related note, what do MS Windows/OSX/Android/iOS/Linux do when they see a WiFi AP with an SSID (and maybe even MAC) they recognize, with a WPA2 key they know, operating without encryption? Will they still auto-connect in the clear? In other words, if an attacker cloned the SSID of someone's work/home network, with a strong enough signal, could they trick devices into auto-connecting to an unencrypted AP?