"One simple approach would be a certificate server which allowed any site to request a certificate and verify it owned the domain in question but putting a response to a challenge in a URL on that domain on a web server on a random port below 1024."<p>So in your threat universe an attacker can MITM the connection between your browser and PayPal, but they can't MITM the connection between PayPal and the certificate authority?<p>"RSA uses large keys and large certificates, however, and people with bandwidth concerns (mostly for their users) have reason to object to it. To take a tiny transaction, such as the fetching of the lightweight Google home page (3kb in size) and make it involve tens of kilobytes is something one can still express some concern about, even today. There is an answer to that, in elliptic curve cryptography, which is able to use much smaller keys and certificates."<p>Most bizarre argument for ECC ever ^^^^<p>There are so many brad ideas here that I should leave some for other people to bash. Also because I'm worried about being a victim of some elaborate joke.