[danhab99]

> is also more or less dependent on assuming no malevolence by the certificate authorities

It doesn't have to be. Nothing's stopping you from signing your own certificates, just like nothing is stopping you from trusting the certificate your friend gave you, whether its by printing out the certificate on paper and then "handing" it to you, or sending it in an email. You're also 100% welcome to trust that your friend isn't a moron and lost control of his private key. AT THE SAME TIME, nothing stops you and abunch of your friends from trusting one or 2 dudes to be a certificate authority for your group.

Cryptography wasn't (and never tried to be) ever an alternative to not being stupid. Any 2 people can setup maximum 100% encrypted end-to-end communication using tools older than I am (or about my age). I feel like we let security and centralization blind us to solutions that we already have because those solutions are hard to onboard too. IRC is free, GPG is free, TOR is free, Email is still free.