[_cbsz]

It's better than plain HTTP if your browser will complain next time if the cert changes, because at least you're assured that if you weren't under attack on first visit, you're not under attack now. Displaying a huge error when the site has made some effort is ironic.

(The point of the error is that a normal, valid certificate means that some CA has vouched for the identity of the website. When it's some random website you don't care about, this isn't important. When it's your bank or a business, it is.)

[fexl]

Exactly so. This is the SSH model, and I love it. How does a CA's signature protect against phishing anyway? It doesn't. Equifax signs both the real site and the fake site.