2008 has not been a happy year for web security, especially regarding trust you can have in the identity of web site you're visiting:

The implications of the 3rd and 4th scenarios are scary: as long as these issues stand, trusting internet transactions is an act of faith.

CAs definitely need to move their asses, performing and proving their due diligence on "basic validation" when issuing a proof of identity (which a certificate is), rather than focusing on overpriced "premium services". Obsolete technologies like MD5 in SSL certificates must be deprecated and banned, both by CAs and browser vendors, as soon as possible.

In the meanwhile, there's not much we as end-users can do, other than checking for a sudden and unjustified change in the SSL certificate of a site we usually do business with, and that's not simple either, because there's no built-in browser alert of the kind we've got in SSH clients, for instance. Anyway, some help can come from the Perspectives add-on for Firefox.

Even if Perspective's primary and most advertised aim is enabling SSH-style certificate "validation" for self-signed certificates (those not issued by an established certification authority), it can be configured to act a second validation layer for CA-signed certificates too, by checking their consistency from multiple internet nodes (called "Notaries") and/or over time:

Install the Perspectives add-on (if you are not a Firefox user, get Firefox first).

Open the Tools|Add-Ons Firefox's menu item, then select the Perspectives row and click the Options button.

In the Preferences panel of the Perspective options window, check Contact Notaries for all HTTPS sites .

. Optionally clear the Allow Perspectives to automatically override security errors checkbox if you're not interested in managing self-signed certificates.

checkbox if you're not interested in managing self-signed certificates. Optionally modify, in the Security Settings box, the required quorum (the fraction of Notaries which must agree) and the number of days this quorum must have been reach for.

This way you should obtain some protection against rogue but "valid" certificates.

Happy new year!