http://arstechnica.com/security/2015/03/google-warns-of-unauthorized-tls-cer... Fun! Not. Though the current model may be less than ideal, we must grant them one thing: in the decades it's been in place, the number of these breaches have been exceedingly small. That's saying something. Perhaps users of browsers should get the option to block certs by country-of-issuance? I bet I could turn off all of .ru, .ro and .cn and never notice. (I'd probably need .tw though.)