It's a shame that the only real protection against rogue (or compromised) CAs is still to have a whitelist directly in the browser.
For Google, this was easy as they control both their domains and their browser, but for everybody else who isn't maintaining a browser, they'd have to fall back to solutions like STS which, don't work if the first connection a user sees is already man-in-the-middle'd
For Google, this was easy as they control both their domains and their browser, but for everybody else who isn't maintaining a browser, they'd have to fall back to solutions like STS which, don't work if the first connection a user sees is already man-in-the-middle'd