SSL isn't broken by this
It's the current CA/PKI system used with SSL which is broken, not SSL itself. If your application tells SSL to trust a particular certificate authority or certificate, that's exactly what it will do.
At least when I run a SSH tunnel (which also uses SSL)out of my corporate work environment using X forwarding I can display applications run remotely on my secured system displayed locally, and for which I personally get to check the SSL fingerprint of the SSH server. I do similar things with my server's SMTP/IMAP AUTH TLS cert when I setup email clients, and I got suitable warnings on all of them when I changed the TLS private key.
Moxie Marlinspike's Convergence protocol http://www.youtube.com/watch?v=Z7Wl2FW2TcA (long video - but well worth the time spent) shows that at least someone is trying to set something up so that end users don't need to match hex strings to do this job.
But none of this PKI problem (where you can choose usability or security but not both) can ever really be fixed without end to end DNSSEC.
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Trousers down for six of the best affordable Androids
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'