How is secure connection created between the web server and ID-card? What are the possibilities for the man-in-the-middle attacks?
Connection is started by exchanging certificates. Client (ID-card) and server both have their own private key and they also have now each others certificates. Next they will pick some random message which will then be digitally signed (using their private key) and sent to the other side. Opposite side will check the signature using the sender certificate it already has. If server authentication is used then only the server will sign the message like this and send it to the client (web browser) for verification . If server and the client are authenticating then this process goes both ways and both verify each others authenticity.
If we are talking about web server then possibility for such an attack is very small to none. The attacker in the middle has to be able to forge both client and server signature. Since both sides also check the certificate source then the man-in-the-middle has to able to create forged SK certificates. Forging those certificates is virtually impossible using today's computers.