Is there a way to check if any non-standard root CAs have been added to my browser, without going through them one by one and comparing them to a fresh install? If not, is there at least a button to reset the list to a blessed-by-Mozilla default?
Because it's not just Superfish we need to be worried about. It's too easy for arbitrary programs to add root CAs to browsers, even if they aren't pre-installed by the hardware manufacturer. A while ago, I installed Avast! Antivirus on a Windows PC and found that it did exactly the same thing: injecting its own root CA into every browser (including Firefox) so that it could MITM all https connections.
Corporate IT with their own root CA is a special case that has nothing to do with the vast majority of Firefox users. For the rest of us, it would be very helpful if Firefox shipped with an independent certificate verification feature by default. Corporate IT can feel free to disable it at their own risk.
Because it's not just Superfish we need to be worried about. It's too easy for arbitrary programs to add root CAs to browsers, even if they aren't pre-installed by the hardware manufacturer. A while ago, I installed Avast! Antivirus on a Windows PC and found that it did exactly the same thing: injecting its own root CA into every browser (including Firefox) so that it could MITM all https connections.
Corporate IT with their own root CA is a special case that has nothing to do with the vast majority of Firefox users. For the rest of us, it would be very helpful if Firefox shipped with an independent certificate verification feature by default. Corporate IT can feel free to disable it at their own risk.