What we really want is some way to be able to check the fingerprints to make sure that the cert that's being used is the expected one. This unfortunately doesn't seem possible without some out-of-band communications system.
Here in Thailand the junta promises to MITM all TLS traffic. I doubt it can be stopped, but it would be good to at least be able to see when they do it. I don't see sites publish their certificate fingerprints anywhere which would at least allow some form of manual check.
It might be enough to be able to get the browser to tell us when a certificate changes -- this would need to be opt in of course.
> I don't see sites publish their certificate fingerprints anywhere which would at least allow some form of manual check.
That's exactly what Google and the likes are building in Certificate Transparency (http://www.certificate-transparency.org/). It's basically a log of all modifications on any certificate chain that can be monitored by anyone who is interested so that misissuance can be detected.
There's also the old Perspectives project which idea was forked into Convergence (https://en.wikipedia.org/wiki/Convergence_%28SSL%29) by good ol' moxie. The idea: any number of independent entities run notary servers, and when you get the certificate for a domain you also ask the certificate for the same domain to those notaries; if they have the same certificate, it means you all have the same "view" of the domain, so everything is probably ok. If they differ, maybe you (or they) were MiTM'ed.
Oh, and of course "publishing certificate fingerprints [somewhere]" is basically the idea behind DANE. So the idea is hardly, new. The implementation, now ...
The answer is certificate pinning. For example, it is impossible to MITM google services if you are using Chrome because the correct public keys are hardcoded in the browser itself.
If the site certificate is not pinned, you can use a 3rd party service hosted outside the MITM proxy to compare certificate fingerprints (such as https://www.grc.com/fingerprints.htm)
Here in Thailand the junta promises to MITM all TLS traffic. I doubt it can be stopped, but it would be good to at least be able to see when they do it. I don't see sites publish their certificate fingerprints anywhere which would at least allow some form of manual check.
It might be enough to be able to get the browser to tell us when a certificate changes -- this would need to be opt in of course.