The whole trust model is a bit broken to begin with anyway however, because there are really only two trust levels: absolute trust and none at all; and is it like your web browser actively checks certificate revocations from the CA? I’ll give you a hint – they don’t.

I disagree that self-signed certificates are useless in general, but only if you already have a trusted copy of your CA’s public certificate on your machine. For example, up until recently I used to self-sign my IMAP/SSL certificate because I can trust it once and explicitly remember the one you trust. This is how SSH works – hosts generate their host key once off and use that for all future communication: you build the trust when you first connect.

Interesting projects for the doubters include the Australian based CACert, which offers web-of-trust style verification and an equivalent level of verification as low-end SSL providers. The only problem is that their CA certificate isn’t trusted in any browsers or OS platforms – though there’s a 10 year old ticket at Mozilla for changing this (and a huge debate surrounding it).

Ultimately, whilst we can keep using bigger and bigger keys (to keep ahead of brute forcing by a comfortable margin) – the weakness with SSL is in how it’s implemented.