[withinboredom]

HTTPS is only as secure as the CA that signs the certificate. My point is, at some point you have to bootstrap the trust. That is the single most vulnerable point (and why becoming a trusted CA is quite complex and easy to lose if you mess it up)! Without the CA, HTTPS is insecure (try self-signed certs and you'll see your browser agree with me). If you try and bootstrap a CA over the radio, it is vulnerable to MITM attacks.

There is absolutely nothing inherently secure about HTTPS without a secure CA.

[quonn]

Even after adjusting this statement three times it‘s still wrong. Certificate transparency has severely limited what CAs can do without being found out.

[withinboredom]

I have no idea what you're talking about. There is no "radio CA" in existence to adhere to "certificate transparency."