[arjie]

That's a nice enough idea, but how do I know I'm looking at the real grc.com? They use an SSL certificate from a US CA too.

[homosaur]

If you ever listen to Security Now, you'll know that Steve has real issues personally with the scammy SSL system. Hongkong Post is always used as the example, but check your root cert list sometime. You'll see all sorts of entities that your browser implicitly trusts and you will have absolutely no idea who they are.

Here's a current list of Moz's http://www.mozilla.org/projects/security/certs/included/

[enraged_camel]

This is the implicit weakness of the SSL system. The question is always "how do I know I can trust those people?"

[Pwnguinz]

Relevant, "Reflections on Trusting Trust": http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomps...

[vidarh]

You don't, really. You would need to download the details for services you care about now, and hope they're not already compromised, and compare offline at a later date when you fear they might be.