you can't necessarily see everything
So personally I'm happy that the code is being inspected by others and pleased that Google is paying to get the bugs fixed.
Google and Firefox have upgraded their flagship browsers, crushing bugs and cracking down on bad certificates along the way. The Choc Factory's Chrome 41 swats 51 bugs of which at least 13 are classified as high severity and six considered medium risks. Google engineer Penny MacNeil thanked security researchers for the effort …
Most root CA signatures aren't worth a damn for security or trust. My browser has several hundred root certs and I haven't a clue who most of them are, how seriously they take security or what "trust" they could possibly bestow on some random site. We already know some root CAs have been compromised or are compliant with their national government.
So why do we rely on them? Why in most cases do sites pay money and expend time / effort for a cert which does nothing buy make a scary icon go away?
I would FAR more trust a site if in addition to, or instead of a CA their cert was signed by their business partners, their competitors, their local chamber of commerce, their trade associations etc. So I go to Amazon and their site is signed by Google, Visa, Mastercard, Barnes & Noble, Microsoft, Mozilla etc. Recognizable names. It would also be far more secure - it only takes one root CA to be compromised and start issuing bogus certs. But if browsers cached certs and site certs had more than one signature, then it would be more harder to compromise them. The browser could warn you if a cert's fingerprint changed or signatories had disappeared.
A web of trust basically. It doesn't stop a site getting their cert signed by a CA and in some cases it still makes sense. But a web of trust model would be far more suitable for a lot of sites. And let sites use unsigned keys. It might not prevent man in the middle but it's still better than plaintext (which doesn't stop MITM either) and browsers could still store fingerprints to warn of changes.
If browsers can produce a new HTTP/2.0 or HTML 5, or EME or a raft of other things, then why not fix the broken trust model. Give sites a choice. They can still pay $$$ for a cert, or they can build a web of trust. Or both. Or nothing. It still more secure than what we have right now.
> I would FAR more trust a site if in addition to, or instead of a CA their cert was signed by their business partners, their competitors, their local chamber of commerce, their trade associations etc.
That's exactly the PGP approach. If you look at it from the point of view of scalability it is not without its fair share of problems either, sadly. :-(
Still, that is exactly what I use for business correspondence signing and encryption, even though I also have government-issued X509 certs.
Yes there are problems but look at how it is now.
If I run a site and want secure communication I have to apply for and usually pay some nonentity to issue me with a "signed" cert. Not just once but every year. I don't gain anything from this process and neither do my visitors. It's just a tax on security to make a scary popup go away and to deter casual evil doers.
I should be able to roll my own cert. I could register the fingerprint with a lighthouse site if I wanted some protection from MITM attacks. Or I could get other sites to sign my key. e.g. maybe Amazon offers a key signing service for affiliates. Or I might know some other site owners and have a key signing party. Or I could pay a CA. Or all of those things according to my needs.
The more signatories the better of course but even none is protection from eavesdroppers.