Why dont browser makers add a function where the browser would tell you if your SSL connection is being intercepted? It's trivially easy to check, all you need is a known good site to sign a message with the cert of a specific CA, and if the browser sees it's signed by anything else, it would throw a warning. Chrome already does something similar with cert pinning.
Because the next Superfish will just let that one site through and intercept the rest. (If you don't believe me, take a look at the arms race around captive portal detection, and captive portals don't even have the convenience of running on the same computer and being able to add SSL root certs.)
Alternatively, the next Superfish could just patch that check out.
Many captive portals don't want to be detected in a separate flow. OS X, iOS, Android, Chrome, Windows 8, etc. all notice if you're running a captive portal, and pop up a separate browsing window: as soon as you can reach the portal, they kill the window and let you get back to your work.
But if the portal was going to redirect you to some ads or other "value-added" content, then they may not want that window to be killed. My former local Barnes and Noble would explicitly whitelist Windows' detection URL, so that they could redirect you to the BN home page instead of to the page you were trying to visit.
And seriously, let's admit it - the "value added" thing is bullshit, and captive portals are mostly either useless (TOS that no one reads anyway) or evil ("value added"). And as I see a few of my cow-orkers working on a captive portal right now, I can't help but think that marketers indeed live inside a strong reality distortion bubble, not realizing that the product they want is making everyone's life worse.
