[shif]

The government could force pc manufacturers to deploy a root CA that they control and then do a MITM proxy to read everything the user is doing, they could also redirect wikipedia domain to another domain that just acts as a reverse proxy and deploy a legit cert on that other site

[tonysdg]

Governments already deploy root CAs -- see here: https://security.stackexchange.com/questions/71171/is-there-...

[tony101]

Most Wikipedia/Wikimedia domains have HSTS preloaded in browsers, preventing redirection without a valid certificate.

[theEXTORTCIST]

AFAIK HSTS doesn't break TLS MITM. A valid x509 certificate is generated by the attacker (using a Certificate Authority trusted by the victim's browser) for the domain the victim is visiting and all is well for both TLS sessions (Client<->Attacker, Attacker<->Server). This all relies on the attacker having access to sign certs from the trusted CA.

Certificate pinning in the HTTPS client would mitigate TLS MITM (HPKP).