Its kind of a broken system. Moxie has great talks on this. If you allow just about anyone to be a CA or if you're a CA and have shitty security practices, then it ruins the integrity of the entire system. If we cant count on CAs to provide valid certs to legit companies then what good is it? At least the communication channel is encrypted.

I remember that especially when he released sslstrip.  I just knew it was only a matter of time after that.  I guess a broken system on its way to being crushed.  But it will be interesting to see alternatives implemented.  I remember being at a talk by Marcus Ranum and he wanted to change AV since that has been defeated, crushed and left for dead.  He had some good interesting ideas of changing the "already too late" paradigm.  But we will see.  I know we need to have something or more dark days ahead. 




I am checking that out now.  Thanks for the links!

It all comes down to cost, suddenly paying a couple hundred dollars a year for a cert may not be so bad (Verisign).  All these other companies charge pennies in comparison.  I would say if you are any major player on the web then you are better off with a higher end CA for your site certs.  If anything if they get breached, you can get them for more damages. :-p  But seriously, companies want to save money so the $70 cert is much more attractive than the $600 cert.  You get what you pay for. 

Might as well install your own CA and just use self signed

there you go, problem fixed