How does she verify the certs she's getting?

How do the commercial CA's verify customers before issuing certs?

Perhaps she does what they do.

I imagine for example she knows her banker, her lawyer, etc. and can contact them by phone or meet with them in person.

Maybe she also uses her friends to help her decide who to trust.

She only has to verify a relatively small number of hosts compared to a commercial CA.

Who could you possibly call at say Capital One to verify that a change in their certificate was intended instead of malicious?

Your point is understood.

For something like that, I have always thought they should be disseminating their cert via some other means besides an untrusted computer network (i.e., the internet). Or at least give customers another option.

Perhaps making their cert available at branches (e.g., printed on business cards), mailing it to customers with an expository cover letter, or even publishing it in a newspaper or some publicly available printed source.

Maybe these printed copies would be OCR-friendly, maybe not. I think two blobs of text can be compared to each other for differences without using a computer, and I can think of a few ways to make that easier. In any event, this does not seem an insurmoutable problem by any stretch of the imagination, at least for me, and in my mind the benefit outweighs the cost.

Not sure about others, but I still get plenty of "official" notifications via postal mail. And with increasing frequency they relate to computer issues.

This makes me wonder why certs "must" to be obtained and verified using (a) an untrusted computer network (the internet) and (b) why we need the aid of untrusted third parties often with obvious conflicts of interest to decide for us who else we can trust.

Are these not the two things that that "SSL" authentication and encryption is designed to protect against?