This is the core problem of 'trusting trust' in the certificate chain. I explicitly do not trust most of the top-level CA's - they have repeatedly been proved untrustworthy by both mistakes and intentional malice, so the whole current chain is useless.
I'd prefer trusting a much more limited (i.e., specifically excluding 99% of national government CAs) set of CAs; and for the major providers that hold my data, including Google, I'd only trust a chain where they themselves are at the top, i.e., where companies such as Equifax and Geotrust (who currently sign google.com certificate) and anyone else is physically unable to issue new certificates for google sites.
Yeah, but the "trusting trust" rathole has no bottom. Why stop at the government CAs? Google certainly cooperated with NSA surveillance, if presented with a subpoena they could be forced to implement a MITM attack in chrome directly. Why trust any browser vendor or CAs that could conceivably be vulnerable to government pressure?
Well, if I'm connecting to www.google.com or gmail.com, then I have to trust Google anyway - so google can do anything anyway, but the infrastructure needs to ensure that, say, Russian government can't do MITM without cooperation from Google itself.
The same is for www.thatserviceIreallytrust.com. There should be a trivial, accessible by default way to whitelist them in a way that noone else can make a new 'valid' certificate for them.
I'd prefer trusting a much more limited (i.e., specifically excluding 99% of national government CAs) set of CAs; and for the major providers that hold my data, including Google, I'd only trust a chain where they themselves are at the top, i.e., where companies such as Equifax and Geotrust (who currently sign google.com certificate) and anyone else is physically unable to issue new certificates for google sites.