I don't think what I'm proposing would be required to break your suggestion is at all beyond the skillsets of anyone who reads a tech news site.
1. Buy the applicable hardware.
(Eg https://wifipineapple.com/ )
2. Create a self signed certificate for website.org
(Eg https://technet.microsoft.com/en-us/library/cc753127(v=ws.10).aspx )
3. Look for a location likely to have free wi-fi but who fail to use HTTPS
(Eg https://t.co/6Bu4v9f5Qn )
4. Redirect any form submit action to a Uri under your control
(I won't detail that step RTFM)
Alternatively, pick a café/library/train station/hotel and call you fake AP "Free McDonald's WiFi", hijack the first HTTP page they request, put the McDonald's logo on top and say "Sign in with Facebook", put the f logo on it and many people will just connect to it and type in their credentials.
CAs are imperfect. Diginotar and Wosign stand out, but I couldn't characterise them giving me a fake cert as "easy". Having the right political connections to get them to make a fake cert for you is much less of a threat for most people than what I have described above.
CAs are like democracy. The worst form of government, except for all the other forms we have tried from time to time.