With HTTPS, you are at the absolute whims of "authorities" which can quite possibly be full of absolute idiots. I do not put my digital security trust in a bunch of idiots.
This problem is more general than just HTTPS, and it's not a total problem. HTTPS, after all, is "HTTP over SSL" in origin, although these days it's over TLS, and the certificate stuff is part of SSL/TLS.
And there is a little-known and monstrously impractical alternative to those authorities, called certificate pinning. You obtain the "public" certificate of the server you want to contact, and you get your software to use that certificate to verify that the server is the server you think it is.
I can't imagine trying to use certificate pinning for general HTTPS web browsing(1), but for contexts where *knowing* *absolutely* that the certificate presented by the server is the right one is important, it's the only way. (Example: automatic upgrades downloaded by upgrader modules.)
(1) Try to imagine the conversations you'd have with receptionists when you show up unannounced to obtain each company's public server certificates for your pinned browsing. If you think this is remotely practical, well, frankly, you're weird.
Biting the hand that feeds IT
