Comment Re: I believe you missed who the adversary is (Score 1) 109
https is and always was broken by design. It is, and never was, safe against a government adversary and it never will be.
Other than certificate pinning (which you can do with CA certs and SSL/TLS just as easily), describe a scheme that doesn't have this problem. No?
At some point, you have to have a trusted party to provide trust in a cert. Otherwise, you have nothing. And that trusted party can be compromised, at which point you have nothing.
Web of trust:
The closest thing I'm aware of to avoiding that involves a web of trust, where trust is distributed more, but without a central authority, there's no consistency in how well different parts of that web perform validation of the identity of the requestor, which results in even weaker trust than with a central authority.
Of course, you could set a trust policy that requires multiple signatures to trust a certificate, but at some point, you're still trusting random websites that you don't know, and whatever limit you set, a government could always exceed it. If you say that three sites must sign something for you to trust it, the government can find three sites that can be bribed, or even use their own sites to sign it.
Mind you, you could carefully craft trust policies, and then manually evaluate every certificate that fails to decide whether you trust it, and that would be more secure for people who are highly skilled at crypto, but for the average person, such a scheme would be much, much weaker.
DNS-based security:
Another proposal for reducing the importance of the CAs is putting the certs in DNS records. This ensures that only those who can mess with DNS can change the certs.
Unfortunately, most users rely on external DNS servers for recursion. If the government substitutes their own, they can refuse all DNSSec queries, and most users will be none the wiser. This effectively makes DNSSec useless until OS vendors make it mandatory by showing errors when it gets an unsigned response.