[liberationtech] How to protect users from compelled fake ssl certs?

[Anthony Papillion]

What is the most effective way to protect users against a compelled  
fake certificate attack? Since any CA can issue any cert and any US  
based CA could probably be compelled to issue a fake CA, how can we  
protect against this?

My initial thought would be to publish the certificate fingerprint on  
a website and encourage users to verify that what they have matches  
every now and then. But this is a huge hassle for users.

Are there any better ways?

Thanks!
Anthony

--
Sent from my mobile device