updated below - 2013-09-17
What is a Certificate and what is a Certificate Authority?
How does a web site prove who they say they are?
The short answer is they go to a Certificate Authority and purchase, after supplying some proofs, a certificate that says who they are.
The long answer is that much of the cryptography infrastructure of the internet depends on the Public Key Infrastructure (PK), which is based on the X.509 standard for digital certificates. These certificates provide a framework for "proving" that an actor is who they represent themselves to be, and for negotiating the encryption to be used for a secure connection. There are two groupings of certificates, self-signed certificates and certificates derived from Certificate Authorities (CAs). CAs can be public entities (you can get "store bought" certificates from Verisign, Geotrust, or whoever) or private ones. if the latter, they aren't much different from self-signed certificates.
Network applications that use certificates typically have a list of CAs for whom they will accept certificates, and you can add CAs or individual certificates in some cases if you decide to trust them. When your browser sets up an https: connection to an online store, these certificates are in play. this is how you, at least in theory, know that sears.com is really Sears and not some joker playing at being Sears in the interest of stealing credit card numbers.
This makes CAs a target and a very attractive one, at that. If you can compromise a CA, you may be in a position to create certificates that allow you to pretend to be someone else, which permits all sorts of nasty attacks. And CAs have indeed been compromised, and at least one that i'm aware of has had to shut down because of the extent of the compromise. You see, once a CA has been compromised, the trust relationship is broken - you cannot distinguish between the "real" and the "fake" certificates, and the game is over.
This is where it gets terrifying
We know that the government, under the cover of various and sundry security provisions, has sent orders to outfits like Lavabit, essentially ordering them to operate fraudulently by continuing to sell a secure service while secretly supplying "secured" data back to the government. This is a huge ethical dilemma, which the owner of Lavabit dealt with ethically by simply shutting down his business. The ethics of any ensuing government prosecution are left for the reader's consideration.
Should we assume that we know about all the orders in play? Of course not, for every ethical business owner there are no doubt other corporate entities who have chosen differently. So at this moment, can we trust any US based Certificate Authorities? I think the answer is a resounding no. And this means that anything that depends on certificates from any US based CA, whether it's a secure website or an IPSec based Virtual Private Network, is no longer trustworthy. And that should terrify us all.
So what can we trust?
We can trust private/public key systems that don't depend on X.509, like PGP/GPG. These work using the concept of web-of-trust, where you agree that you know that someone is who they say they are and accept their key. In theory, self-signed certificates are now more reliable if you can verify the identity of the signer. This is in essence a variation on web-of-trust.
The problem with endpoints
This still doesn't mean much if the security end points are compromised. The NSA can do that, but it's expensive so they're more likely to do things like attack the Certificate Infrastructure. But your PGP/GPG key won't mean much once they hack into your PC or Mac and install a keylogger. But I've depressed everyone enough for one day.
Update - 2013-09-17
FYI, I am now using OpenPGP to sign everything sent from my primary email account. The fingerprint is 3133 3F6D AB20 AC3F 9C88 DC61 0F2C 74F4 7012 C7FA, short id is 7012C7FA, keyserver is hkp://keys.gnupg.net. it's a 4096 bit RSA key. cheers!