Opportunistic encryption of all sessions doesn't require any certificates. All that's needed is a key exchange algorithm and browser support. The UI would make it clear when a certificate was presented and validated, but no cert is needed for unauthenticated encrypted connections.
The next step up from that would be unsigned public keys with pinning (like ssh) to reduce MITM, and finally above that would be identity verification on the level of https.
Which is why the pinning bit comes in. If I connect to server X at home, get their self-signed cert and then connect later at starbucks on a MITM'd connection, I will know something is wrong.
Best solution? Not by a long shot, but it is a reasonably simple one to implement and does improve things.
You need to complete that sentence before it is a real suggestion: "and either the keys were changed or there is an active MITM. The browser then ..".
It would not be acceptable to trade the ability to change SSL keys for a trust-on-first-use model. There are solutions to this of course, but also tradeoffs. These needs to be taken into account.
> You don't have to care about MITM to benefit from opportunistic encryption.
How? An encrypted connection subject to MITM is as secure as an non-encrypted one. Attackers will stop listening for plaintext credentials at WiFi spots and will just launch their favorite HTTPS MITM tool instead.
Certificate pinning is flawed because you cannot revoke certificates from your clients. How would you distinguish a MITM attack from a certificate change? And if you can't revoke certificates, what happens after an attacker gains access to the private keys? Definitely flawed model.
HTTPS without identity verification is even worse than HTTP. IMHO a false sense of security is more dangerous than no security. Self-signed certificates must not be advertised as secure by browsers (the famous lock icon) because they are not! This would render them invisible for most users.
Self-signed certificates are only viable for tech-savvy users, and even then the dangers are too many and the burden too heavy (did the server change certs, or am I being subject to a MITM attack?) for them to be useful.
MITM isn't the only threat to Internet users. I can see three levels of security, each of which provides more security for users but less convenience for server operators:
1. Opportunistic encryption without certificates or identity pinning -- protects against dragnet surveillance and packet sniffing, but not MITM.
2. Encryption with pinned self-signed certs -- protects against second connection MITM, but not stolen certs without some revocation design.
3. Encryption and identity verification with CA- or WoT-signed certs -- protects against first connection MITM except by powerful adversaries.
The next step up from that would be unsigned public keys with pinning (like ssh) to reduce MITM, and finally above that would be identity verification on the level of https.