HTTPS has never guaranteed that you were speaking directly to a given entity. In the case of a corporation, what does that really mean, anyhow? Your web request is being handled by the CEO him- or herself?
It only means you are speaking to a device or set of devices that the certificate-holding entity has authorized to speak for them. No certificate technology can prevent a company from delegating authority to another entity's devices.
It isn't that this isn't necessarily a problem... it is that there is no way in which certificates ever solved it, nor a way in which it can solve it, and there's no choice. Whenever you're talking to X.com, you are almost certainly also talking to a third-party web stack, for instance, which means that trust has been delegated by the certificate holder to some other party's software. There's hardly a website around that doesn't have a whackload (technical term) of third parties already in the connection anyhow.
The certificate-holding entity is ultimately responsible for what they do with your trust. But the certificate can do nothing to constrain those actions. It's just a glorified number with some other glorified numbers attached to it.
It does seem to me though that HTTP2 should actually make it easier to do without a CDN in the end, though. Initial HTTP2 support will just be "HTTP1, but on HTTP2!" which really provides minimal advantages over HTTP1, but over time as we see web frameworks start to take direct advantage of being able to push down resources preemptively, the advantages of CDNs for all but the largest sites start to fade. (Perhaps not "eliminated", but certainly lessened.)
(Incidentally, as people will presumably start releasing HTTP2 benchmarks soon, keep on eye on the details. Embedding HTTP1 inside HTTP2 is not the interesting performance question and will never have big gains... the correct question to investigate is what are the gains to be had from fully using HTTP2 natively. Many SPDY benchmarks had the same problem... of course SPDY isn't faster if it's still essentially speaking HTTP1 to the target website.)
It only means you are speaking to a device or set of devices that the certificate-holding entity has authorized to speak for them. No certificate technology can prevent a company from delegating authority to another entity's devices.
It isn't that this isn't necessarily a problem... it is that there is no way in which certificates ever solved it, nor a way in which it can solve it, and there's no choice. Whenever you're talking to X.com, you are almost certainly also talking to a third-party web stack, for instance, which means that trust has been delegated by the certificate holder to some other party's software. There's hardly a website around that doesn't have a whackload (technical term) of third parties already in the connection anyhow.
The certificate-holding entity is ultimately responsible for what they do with your trust. But the certificate can do nothing to constrain those actions. It's just a glorified number with some other glorified numbers attached to it.
It does seem to me though that HTTP2 should actually make it easier to do without a CDN in the end, though. Initial HTTP2 support will just be "HTTP1, but on HTTP2!" which really provides minimal advantages over HTTP1, but over time as we see web frameworks start to take direct advantage of being able to push down resources preemptively, the advantages of CDNs for all but the largest sites start to fade. (Perhaps not "eliminated", but certainly lessened.)
(Incidentally, as people will presumably start releasing HTTP2 benchmarks soon, keep on eye on the details. Embedding HTTP1 inside HTTP2 is not the interesting performance question and will never have big gains... the correct question to investigate is what are the gains to be had from fully using HTTP2 natively. Many SPDY benchmarks had the same problem... of course SPDY isn't faster if it's still essentially speaking HTTP1 to the target website.)