The solution for bank sites, at least, is to print the certificate fingerprint on bank statements and ATM cards. Of course, browsers would have to have an interface for users to indicate that they have personally validated the certificate for some particular purpose. If you're using an ATM card provided to you by an attacker, you've got problems already. And this is the only way to stop an attacker with a similarly-named legitimate business as a front (yes, this is a secure connection to a legitimate business's web site, but it's not my bank, so I shouldn't log in). For that matter, I know that there have been multiple legitimate financial institutions simultaneously using the name "Chart Bank"; hopefully, their employees are honorable enough to not take advantage of users who try to log into the wrong one, but who knows?
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds