In light of Superfish bundled by Lenovo [1], one realizes HTTPS is at the mercy of ANY of the myriad certificate authorities trusted by your browser.<p>Instead of your browser complaining when a certificate fails for a given site, it keeps looking for another, valid certificate. How's that for a security model?<p>Why is Hongkong Post a trusted institution of my browser? I don't want Hong Kong to MITM my communication with any other site.<p>[1] <a href="https://en.wikipedia.org/wiki/Superfish#Lenovo_security_incident" rel="nofollow">https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci...</a>