It would nice if one day browsers and all other internet clients would use a standardized interface to ask the OS for the IP address and public key tuple for that domain name as determined by the DNS blockchain software installed on the computer (I'm hoping it's BitShares DNS : ) ). Then the internet client would validate the TLS connection directly using the given public key.
Until that magical day, backwards compatibility hacks are needed to easily get adoption in the beginning. It would be really powerful if I could use my browser (with no extensions or plugins), have traditional HTTPS sites work, and have blockchain registered domains also securely work (with no risk of man-in-the-middle attacks). I've briefly described
how I would like to see this done. Just have a local HTTP proxy daemon running on the computer which man-in-the-middle attacks SSL connections and rewrites the SSL certificate and signs it with its own local trusted CA key. If the domain is a legacy domain signed by a third-party CA in a list of trusted legacy CAs, then the proxy will resign the certificate with its own key. If the domain is a BitShares DNS domain that validates according to the blockchain, then the proxy will sign the certificate with its own key. Otherwise, break the certificate so the browser complains. Then the browser is set up to only have one trusted CA key (the one of the local proxy) and is configured to use the HTTP proxy.
The real trouble is how this could work on mobile devices. You would need to be able to run a daemon proxy accepting the mobile browser's HTTP(S) connections. This might work on Android, not sure about iOS. Maybe a custom browser app is the other way to go on mobile?