Fraudulent *.google.com certificate issued

It is the same here in Brazil, see https://bugzilla.mozilla.org/show_bug.cgi?id=438825 (the tax office is https://www.receita.fazenda.gov.br/).

The trick I use is, whenever installing a new computer, go to https://www.mozilla.org/projects/security/certs/pending/, which has both the links to the correct root certificates for ICP-Brasil and their fingerprints (they are what Mozilla will add if/when the CA is accepted). Just click on each one, set the correct trust bits (also listed in that page - in ICP-Brasil's case, it is only "Websites"), compare the fingerprint, and done. Just remember to check you are using https for that page.

I assume the tax offices also distribute information to the public that needs to be correct to protect people's privacy; if someone made tax form booklets that told you to send the forms to an attacker (who would then send them on to the correct address, having copied them), they could steal all sorts of information. If these official mailings included the CA fingerprint where they tell you about the web site, it would be more secure than what Google does, because an attacker couldn't just hack into some insecure CA and get a fraudulent certificate that would act the way the booklet tells you to expect.