As a result of the Comodo fiasco a few weeks ago, I marked as ‘distrusted’ all the certs that Apple’s Keychain Access app would tell me about. Safari and Chrome rely on that app to manage some central pool of certs. Only a few times a day would some browser warn me that some site’s cert was unauthenticated. Usually I had no notion of the identity of the site so there was no useful question about ‘is this the site I expected?’ as I had no expectation. I took a few extra steps when using my bank’s site the first time. Then I told Apple’s app to trust that specific bank cert. It was not necessary to trust the CA that signed the bank’s cert. A few times an https ad would be summoned by some page and I would cancel the access. Firefox does its own cert management and I found and reported a non-critical bug in the UI for that function.

My venture broke gdb and it took me a day to discover that it was a code signing issue and which cert I needed to trust.