I wanted to raise a suggestion from John Nagle to the status of a new thread. John suggested that, in Private Browsing Mode only, Firefox should inform the user if they make a secure connection using a certificate which is not one of the default set in NSS's root store.
The logic is that if a user is using PBM, they are unlikely to be browsing their own intranet, or other location where the certificate chains up to a manually-installed cert. Therefore, if one is being used, they are likely to be being MITMed. They may have consented to this, e.g. at a workplace - hence the suggestion that this is a prominent user interface indicator, e.g. a non-dismissable infobar, rather than a blocking page or red scary warning. Do people think this makes any sense? Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security