If you're in a position to MITM a TLS connection, you can most likely also alter those signatures for your target.
You would need to use something like DNSSEC as well, relying on a government-controlled PKI [1], which isn't really any better than the current situation.
The current situation is that everyone in the Starbucks can completely monitor all of your plaintext. Self-signed, encrypted, unauthenticated connections are better than plaintext connections.
