I agree in that scenario it's hard to say whether one is more likely to be the true certificate than the other. If we're assuming attacks that aren't targeted towards specific users (e.g. from state actors, or just a corrupt hotel wifi admin, who are attacking whoever happens to be on the network) then we can't say without more details about the network you were connected to on Monday vs. Tuesday. If we're assuming attacks that are targeting you specifically as an individual, perhaps A could be considered slightly more likely than B due to coming first... Visiting the site on Monday leaks the information that you visited the site, so an attacker may believe you will visit that site again. But if the attacker is keeping logs of your traffic habits, they may have just chosen Monday to poison your fresh DNS lookups. So again it looks like we can't say which is more likely.