CAs are almost useless, so self-signed certs are the only reasonable way to go. The validation should be done with web of trust a la PGP, this is the only reliable way.
HTTPS itself is, in many cases, analyzable, and in many others, already broken. It's not the panacea for security and privacy that many people (who don't know much about these protocols nor crypto) thinks. Using TLS for everything is a waste of energy.
Also, todays WWW is pretty disgusting: making everything a WEB APP that uses tens of javashit libraries and languages that compiles to javashit, using jewson restful apis everywhere, putting all ur shit in thousands of cdns, tracking everybody, all your data on le cloud, analyzing users with poor ML algorithms and delivering ``special content'' based on its results. So why do you want to encrypt anything? The Antichrist is here /prog/, and you can not escape!