don't blame javascript
javascript was mentioned as an example, but if you can inject javascript then you can make other non-javascript changes as well... it's not a fault with javascript, but with the browser allowing mixed certificates and displaying the status of the "most trusted" one, rather than the "least trusted" which would probably be the correct way to deal with it
as for being anti cheap certs... what if i want SSL on my small website? i can't without forking out a small fortune - yeah, good on you for sticking it to the man! this TAX on the use of encryption is just stupid.
have 2 types of certificate,
1. cheap/free certificate which has basic anti-spoof checks (ie. send email to the contact for the domain in whois + automated check for a random file which you need to put on the website - proves you have control over the real site and therefore it's OK to give you a certificate), this allows encryption to be used low cost/free by anyone who wants to with basic protection from someone spoofing it
2. extended validation with the green bar where they are required to do *real* background checks to validate you are who you say you are, and therefore charge appropriately, for large organisations needing to prove their identity as well as use encryption (ie. banks, online shopping, etc)
we're sort of moving in that direction except apparently the browsers allow mixed types and display it as the second type, when they should display mixed types as being like the lowest form, and also the normal non-verified certificates are still expensive considering they don't actually do anything for your money except run a program to sign it!