HTTPS is more secure than HTTP... but when it's possible to get bogus SSL certificates like this, it's apparently not very much more secure.

Not exactly.

HTTPS does two things:

1: verifies who the other party is and prevents MITM attacks.

2: encrypts the connection and prevents snooping

#2 still works fine, and for many people it's the only thing they care about since MITM attacks are quite rare, and if you typed the domain name yourself you don't need the verification either.

You can't securely exchange keys to do #2 without having #1.

Not sure why you think active attacks are more rare than any other attack against TLS/SSL sessions. Any time you are in a position to perform a passive attack (snooping) you could also perform an active attack (MITM). The only difference is which point-and-click attack tool you download.

Not true - otherwise self signed certificates would be pointless. #1 and #2 are independent.

And you can snoop WiFi, but you can't do MITM. (Not easily anyway, you'd need a radio jammer and other gear.)

Of course I can perform a MITM attack on a wireless network. You might try thinking about the communication layers above PHY. Almost any of them will do.

Self signed certificates are pointless, unless you verify the certificate hash out of band.

Agreed the certificate provider mentioned is a fraud, but so is Veritas, who issued a certificate identifying some random person as microsoft.com a few years ago.

Governments need to regulate, and audit, certificate providers, and financially punish them for failing audits.

Now that Firefox has explicit support for key continuity management, I think I'll just dump my root CA store and go with that. Global PKI is just not such a great idea.

godaddy made me use a number generated from the server (rsa), but guess that doesn't mean I own the domain just the server

Go Daddy has been doing this for years. They don't care about the authentication portion of SSL -- just the encryption part.