If you create an account on happykittens.com, you don't really care if the cert happykittens.com is sending you is signed by a trusted CA. What you care about is that the second time you visit the site, when you log in with your brand new account, that the cert the site sends you is the same you received when you created the account (the site is the same you created the account on). This has nothing to do with the fact that the cert is signed from a trusted CA or not, and thus, making it difficult for the user to accept a SS cert is not the right solution IMHO.

Key continuity is a fine answer to this problem. Just come up with a way to provide it on every device every user might reasonably want to log in from, for every site on the Internet.

If you've ever run an e-commerce site, you'll know that payments drop off significantly when browsers start throwing up warning signs.

Which is good, because without that dropoff, your customers security would be an externality to you.

Regardless, it's still better than straight HTTP.

HTTP < Encrypted HTTP < Encrypted,signed HTTP

Actually, no. For all practical intents and purposes encryption w/o authentication is as good as no encryption.

Unauthenticated encryption is 'better' than a plaintext in just one thing - it protects against passive snooping. Anyone willing to splice the connection will have full access to all your plaintext data and you won't even know about it. As such it's nothing more than an equivalent of reversible traffic obfuscation.

So if your "better" meant "obfuscated", then, yeah, it's better. But it's no more secure (in a conventional security sense) than a plaintext.