Improve security Rated 4 out of 5 stars
Just a thought for further security improvement: Certificates are bound to a domain name. The amount of companies that gives certificates based on a root is so large and untrustworthy, that it makes possible to get a certificate for any domain name (like done recently in Netherlands). When also DNS is hacked, one can setup a man-in-the-middle with a certificate. The only extra option is to have an extension that forces a match between certificate, domain name and (a range of) ip addresses. These addresses can be checked with dnsstuff etc. Checking the email address of a certificate and recheck it each time might be an other option of additional check.