Comment by vbezhenar

We have DNS system in place which should be enough to establish trust between browser and SSL public key. E.g. site could store self-signed certificate fingerprint in the DNS record and browser should be fine with that. If DNS system is spoofed, user will be in bad place anyway so DNS system must be secured in any case.