[rcxdude]

But with SSL your root certificates change rarely and you can control them, as well as freeze certificates for specific websites. With Javascript code you don't have that kind of control and if you did it would require a massive change in the approach of creating a webapp in order to be managable.

It's not an insurmountable problem though, I would like to see an attempt at solving it (a browser extension would be required, but arguably you could have much greater transparency in updates than even most package managed apps if you used readable JS).

[kamjam]

Fair point, and a browser extension that would detect changes in he script would be easy enough to build. The point is, for the vast majority of users, freezing certs and such is not common (I didn't know you could do that for example) and they would rely on the site to specify the cert to use.

[lemonade]

This is called certificate pinning (a.k.a. Trust On First Use or TOFU). If you use Firefox, just install Certificate Patrol.

If you are interested in the rationale, and how you can use technologies like DANE to make it even better, read the paper by Gabor Toth and Tjebbe Vlieg (http://staff.science.uva.nl/~delaat/rp/2012-2013/p56/report....).