[micro-ram]

We already have a start there. Make all NON-EV certs free.

[Someone1234]

I'm all for that, but realistically how will you verify identity? If there is no identity verification what is stopping me from going out and registering for "google.com" and then using it in my MITM attack?

[pauldino]

I think most non-EV SSL certificates these days are "verified" by sending a message to whatever e-mail address you have on file in your whois record.

Also on Chrome at least certificate pinning should prevent that particular scenario.

[Someone1234]

Chrome's certificate pinning database doesn't scale at all (i.e. it works on less than 0.01% of the internet).

As to the whois thing, what is stopping me from hijacking a domain, changing the whois and then generating keys? The webadmin might never even know. You don't even need access to their email.

Or to put it more realistically: What is stopping the NSA from pressuring a domain registrar into altering the whois for a brief period in order to generate MITM keys?

[pauldino]

Nothing, really. But that is the situation today.