I don't understand many of your comments here: why you say that they are like a CA, or bypassing the SSL security model. People will still be using SSL to connect to their web sites. This plug-in does not provide the security that SSL does.
You also exhibit a curious failure to critically analyze this product from the security perspective. I can't help thinking that your anti-CA bias has blinded you to any security flaws in this alternative.
I also wonder who is "we", as in "we didn't think of that". Are you royalty now?
To answer your questions in reverse order:
> Are you royalty now?
That was the inclusive us not the royal we! Sorry, it kinda slipped out. I have a bad habit of including everyone in the discussion, instead of blowing my own trumpet. I know that annoys people of your culture, and I'll try to remember to blow harder next time ;-)
> You also exhibit a curious failure to critically analyze this product from the security perspective.
Sorry, yes, to put that in further light, I skipped analysing it because it is obviously insecure. What is there to say?
> This plug-in does not provide the security that SSL does.
Correct. It provides something different.
> I can't help thinking that your anti-CA bias has blinded you to any security flaws in this alternative.
Right, either that, or your pro-CA bias has blinded you to any possibility that a non-CA approach might help. Or both :)
> People will still be using SSL to connect to their web sites.
I guess, yes, maybe. I don't see that as relevent, as SSL isn't protecting them anyway, because the attack totally bypasses SSL.
> or bypassing the SSL security model.
The SSL security model is supposed to address spoofing. That is, protect against an MITM that allows the attacker to glean information. Phishing is such an attack. Now, to use the SSL security model to address phishing, one would expand the use of certs to relate the server and client together, sans CA. E.g., caching and tracking. It's a pretty minor change, in tech terms, but it does take the shine of the CA concept, rather. Which is why it has failed to gain traction, I guess, because as you intimate there are a lot of people who can't bear to see the CA concept challenged.
Back to Netcraft. In its attempt to address the MITM of phishing, Netcraft doesn't do that, it creates (or reuses) a whole new infrastructure alongside SSL and uses that to make comments on whether the user is being spoofed or not. Hence, it bypasses SSL.
> they are like a CA
Because they are a central party to which you go to get an opinion from. I'm using the words in broad sweeping sense here. But, don't be fooled by the broad brush; if Netcraft wanted to be come even more like a CA, what would stop them?