Root Certificates

There are so many problems with the current system of trusted roots being baked-in to browsers that I honestly don't know where to begin.

Perhaps this one: Leaving aside the likelihood that the US three-letter agencies have copies of all certificates issued by US certification entities (they'd only need the roots anyway) ...

They could just use a 'tame' registrar to give them another signed cert for any domain they want to impersonate with a good old MITM attack. Unless we're able to trust all the roots ...

Updated: Nailed it