SSLegance

For the interim, the solution might be to have an extension that besides pushing PFS (and alerting when it doesn't work) would cache the Cert hashes or more and allow a browser (e.g. firefox) to run with all CAs as untrusted, but then do a verification on a per-site basis. The big hole in web page security is that there is the web page, then there is the extra info like javascript and css. So, for example, https://amazon.com might be accepted, but https://images-na.cdn.azws.com is in the background ready to rewrite the entire page. And the page will be broken until you manually "view source" and open a link and allow the cert/CA/page for the javascript/css/images/metadata.