Gervase Markham wrote: > I wanted to raise a suggestion from John Nagle to the status of a new > thread. John suggested that, in Private Browsing Mode only, Firefox > should inform the user if they make a secure connection using a > certificate which is not one of the default set in NSS's root store. > > The logic is that if a user is using PBM, they are unlikely to be > browsing their own intranet, or other location where the certificate > chains up to a manually-installed cert. Therefore, if one is being used, > they are likely to be being MITMed. They may have consented to this, > e.g. at a workplace - hence the suggestion that this is a prominent user > interface indicator, e.g. a non-dismissable infobar, rather than a > blocking page or red scary warning.
Given the fact that there are so many CA certs pre-installed as "trusted" issued by CAs with dubious reputation I'd rather vote for displaying a warning to make the user explicitly accept a certain CA cert for a given DNS name once. Ciao, Michael. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
