How can you (or an 'average user' whoever that might be) carefully evaluate untrusted certificates? Wouldn't i need some kind of detached information like the certificates hash signed by an already known gpg key?
The CA idea is broken but not too easy to replace. http://convergence.io/ could be a few steps forward.
You could have a URL format that includes the signature of the key. Big sites would transparently add the signature and the browser would give a warning if the signature is different. You could add the same signature information to cookies and warn the user if it changes.
There is a big tradeoff here: The ability to enter URLs manually.
This is what we tell users to do today for important sites, and not click in links in mail or elsewhere. It is not obvious that there is a net benefit in security.
> How can you (or an 'average user' whoever that might be) carefully evaluate untrusted certificates?
Well, you decide whether you want to trust the person on the certificate, and if the security ever changes again that'd be the red flag. Initial trust is always difficult.
The CA idea is broken but not too easy to replace. http://convergence.io/ could be a few steps forward.