It occurs to me that one way to validate websites would be the following:

Upon arrival at my bank's website, for example, the website could authenticate itself by sending info to an authentication server which would send back an encrypted reply to the site's server, which would then be decrypted and displayed to the user.

Granted, it's late and I'm half in the bag, but it seems plausible to me.

Perhaps I'm an ignoramus though; there might be a dozen reasons why that would never work, for all I know. I'd be interested in hearing them.