If a client receives a server's certificate typically during handshake, why can't a man in the middle attack proxy client just use the same certificate that will be sent from an authentic server?
Certificates are meant to be public, if I'm not mistaken?
like twitter https://dev.twitter.com/overview/api/ssl
Simply because the server doesn't only send the certificate; it also proves that its the "owner" of the certificate; speaking simplified here:
The server encrypts something that you can decrypt using the certificate, but only the owner of the certificate could encrypt that way.
Assuming you know the public/private key crypto pattern, the certificate contains a public key that can decrypt data that was encrypted with the server's private key. The server will never ever hand out the private key.