"Look at HTTPS compared to SSH. With SSH, no signed certificate is required. The first time you log onto a server you get a signature in your "authorized" store and if it subsequently changes, you know something odd (not necessarily nefarious) is going on and you can inquire."
When people visit hundreds of websites every day that method is completely unworkable, especially since much content comes from third-party sites and you never see their URLs in the browser. If the usual method to communicate a validity string, such as a SHA file hash, is to put it on the web page where a hacker could modify the binary and the hash value to match, it's of no value security-wise. It just assures you downloaded the backdoored malware intact. If you even bother to check the hash or SSH fingerprint.
And with the push to reduce the certificate validity period from two ears to one year or worse it's completely untenable. It only works for SSH because the certs never change, a risk in itself.
Biting the hand that feeds IT
