and the only problem with this is that unless you can unequivocally prove that the public key you are encrypting with is for the intended recipient, you're stuck. Until we have an infrastructure that can allow truly secure proof of identity, you can be assured, email (end every other form of internet communication) is insecure. The only secure email is the one you never sent... or if you're using webmail, it's the one you never wrote. If you want truly secure email, only use a public key to encrypt it if you can prove beyond a shadow of a doubt that the public key you are encrypting with is for the person you intend to write to. Internet delivery of the public key by the standard methods aren't foolproof.
Active MITM attacks are not easy by any stretch, certainly not against email. On top of that, if you do not begin the attack before the first messages are sent, you will not get another chance, at least not easily. It would also not be enough to control just the mail server; you need to control every communications channel available to the target, which is a substantial effort and far beyond the scope of what we are trying to achieve with email privacy. Frankly, anyone who can pull that off could more easily break into your home and install a keystroke logger somewhere.
PGP's model works pretty well. You get the key from a key server, you communicate through a (presumably different) mail server, and if you need more protection you use the web of trust. Imperfect, sure, but no security system is perfect, and at least with this the barrier to spying is high enough to stop mass surveillance (not true of Lavabit, whose users just have to be thankful that the service was shut down over such a request).
The WoT concept is flawed but it is the lesser evil. Also it is not the critic's place to dictate what standard of assurance anyone else should accept.
All schemes to verify identification of an entity with a key are probabilistic and in some degree unreliable. Even if the correspondent is your best friend and you exchange keys in person, there is the possibility that one of you will fail to maintain exclusive control over his/her secret key. The question is which methods are best in a relative sense - and what qualifies as "good enough" is for each operator to decide.
Of the two major alternatives, the CA system (and other schemes of similar design, relying on trusting third parties) and the web of trust based on individuals' estimations - of these, the latter is clearly more reliable. It was hard to convince anyone of this years ago, but the tech world has (mostly) now recognized the folly of third-party systems after painful experience.
EDIT: Corrected "former" to "latter", per post below - thanks!
> Of the two major alternatives, the CA system ... and the web of trust ..., of these, the former is clearly more reliable.
That is, you wrote "the CA system is more reliable than the WoT".
I'm pretty sure you didn't mean what you wrote. It seems to contradict the rest of your post.
Elaborating for the benefit of other readers: we have lots of evidence that the Certificate Authority system has been repeatedly compromised, certainly by state actors and probably also by (other) criminals. There are semi-solutions, like certificate pinning. One alternative (the only alternative I know of) is not trusting any Authority to get good certs, but rather getting them yourself, or from people you trust, or from people trusted by people you trust, etc... thus the Web of Trust. This alternative is pretty poor, but it might be less broken than CAs.
