[EGreg]

You can do a MITM attack with certificates also. In fact NSA can do it by compromising any CA in the chain.

A distributed system that verifies identity would be much better. For example, namecoin based identities and checksums committed to the blockchain.

In fact, any self-signed public key system with a MAC distributed to many sources would be good enough. It doesn't have to have proof of work. The only requirement is that there are enough root CAs that you can't compromise them all.

This should be taken care of by browsers themselves!

I wrote this 3 years ago and since then nothing has been done: https://news.ycombinator.com/item?id=2024164

[orthecreedence]

Agreed, CAs are an easily-exploitable smokescreen. Distribution is the way to go here. Seems like you could post your public key in the data section of a namecoin domain entry, no?

I think there is movement on this type of system, but it's slow because people don't realize just how insecure HTTPS is when CAs and the US government are involved.

[jwgur]

More like they don't care about that category of threats.

[EGreg]

Is there any work on a project like this that you know of?

[orthecreedence]

I heard of a project a while back, but haven't seen it since and I forget the name. My understanding is that it's slow going. I think the best bet is, as mentioned, piggyback onto the blockchain somehow. Namecoin is probably the closest to getting this right.