Recall: "Symantec was forced to fire 3 employees after Google's engineers found rogue SSL certificates issued in its name used in the wild."
Was anyone prosecuted for that? No? So it was a government backdoor, you don't fake an identity document like that and it doesn't even get investigated. Snowden docs reveal Google HTTPS traffic was man-in-the-middled, that means a trusted cert authority needed to issue the fake certificate, and I know which company I think did that.
Look the system is flawed, it lets anyone under the trusted tree issue certs for any website and that's clearly wrong.
Browsers need to start tracking the certs for each website and if the certs change, then its untrusted even if Symantec say its trusted. Because the chain-of-trust itself cannot be trusted, if it reports a new certification, the trust is broken, you have to build up confidence in this new certificate over time.
Googles certificate pinning, is Googles log, I have no reason to trust Googles logs either.
I thought we'd agreed backdoors were a bad thing, yet TLS is so backdoored, that a private company can issue certs for Syrian government to fake US websites, the system is so badly flawed.