[samuelkadolph]

Having the private key of a trusted root CA lets you create leaf certificates (or intermediate CAs) that your computer will trust implicitly (because the root is trusted). This would allow someone to man-in-the-middle your connection to, say, gmail (with help of your ISP) and you would not be able to easily detect it.

Gibson Research Corporation created a page that shows the real signature for some common websites (and lets you check any site you want). You can then connect to them and view the signature in your browser and compare them. This is what you would have to do to know if you were being MITMed with a "real" certificate.

https://www.grc.com/fingerprints.htm

[archivator]

There's also Convergence, in which multiple independent notaries vouch for a certificate's authenticity. Here's a good summary - http://security.stackexchange.com/questions/5967/convergence...

[arjie]

That's a nice enough idea, but how do I know I'm looking at the real grc.com? They use an SSL certificate from a US CA too.

[homosaur]

If you ever listen to Security Now, you'll know that Steve has real issues personally with the scammy SSL system. Hongkong Post is always used as the example, but check your root cert list sometime. You'll see all sorts of entities that your browser implicitly trusts and you will have absolutely no idea who they are.

Here's a current list of Moz's http://www.mozilla.org/projects/security/certs/included/

[enraged_camel]

This is the implicit weakness of the SSL system. The question is always "how do I know I can trust those people?"

[Pwnguinz]

Relevant, "Reflections on Trusting Trust": http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomps...

[vidarh]

You don't, really. You would need to download the details for services you care about now, and hope they're not already compromised, and compare offline at a later date when you fear they might be.