The CA system is garbage. I use Certificate Patrol and Perspectives to protect against this kind of thing. I wish I could disable all CAs, but Firefox is bad at handling this.
My favorite idea for replacing the CA system is to put certificates in DNSSEC-protected DNS records. Then only people you have agreements with can screw you: your registrar, register, and ICANN.
In this way, CA may not be better than manually confirm each certificate yourself (except maybe first time visit a website and use CA to match the name you want to visit)
Anyway, i never realized this before.