Thanks for the overview of a real problem, Andrew. (I recall having to add an exception for a "Mozilla Root CA" to access email at one time.)
Andrew Sutherland writes: > I propose that we use a certificate-observatory-style mechanism to > corroborate any invalid certificates by attempting the connection > from 1 or more trusted servers whose identity can be authenticated > using the existing CA infrastructure. Although this can identify a MITM between the mail client and the internet, I assume it won't identify one between the mail server and the internet. > *** "it looks like you are behind a corporate firewall that MITMs > you, you should add the firewall's CA to your device. Send the > user to a support page to help walk them through these steps if > that seems right." > *** "it looks like the user is under attack" I wonder how to distinguish these two situations and whether they really should be distinguished. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform