[gcp]

users will start getting instructed by sites that they have to manually add a root certificate in order to use they site

Or switch browsers. Google needs to (and will) play this so it ends up being unattractive for other browser vendors not to distrust Symantec as well.

[ballenf]

Could actually dodgy sites then imitate bank websites, ask the same of users and then commit a MITM attack?

I'd much rather be able to say -- 'no, never manually trust a cert', instead of 'well, ok, for now yes in this one case if you're sure there's no typos in the URL... What? Yeah, the text at the top in the little bar... argh'.

I hope I'm missing something here, but even better I hope Symantec and banks get their acts together.

[gcp]

Could actually dodgy sites then imitate bank websites, ask the same of users and then commit a MITM attack?

Technically, certificate pinning etc can prevent this, but in practice, yes, this is a possible attack vector.

But it has little to do with CA validation. If the user understands how to verify the domain and security of the connection the attack doesn't work, and if he doesn't, the Google vs Symantec situation makes no difference either.

[kakarot]

That's a good insight. Apple and Mozilla don't seem to mind making big decisions for their users on behalf of perceived security threats either, so I imagine only Edge will hold out for long time. Google probably won't lose any market share over this.