One idea would be for Mozilla et. al. to compile a list of "independent" CAs. That is, CAs that are independent businesses and not subsidiaries of one another. Then users could only trust certs that are signed by N > 1 independent CAs, where users could choose N based on their circumstances.
This would, alas, make life more expensive and more complicated for Web site owners, but it means that hackers would have to compromise N CAs instead of 1 CA to perform a MITM attack. And high-value targets like Google, Paypal, banks, eBay, etc. can surely afford certificates signed by 4 or 5 independent CAs.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds