Certificate Transparency (CT) looks promising to the rescue
Browsers can usually detect malicious websites that are provisioned with forged or fake x.509 certificates. Thanks to digital signatures and encryption. However, current cryptographic mechanisms aren’t so good at detecting malicious websites if they’re provisioned with mistakenly issued certificates or certificates that have been issued by a certificate authority (CA) that’s been compromised or gone rogue. This type of CT protects against the possibility that a public CA may be compromised.