At the moment we are just as everyone else vulnerable to malicious certificate authorities issuing fraudulent SSL certificates.
CA pinning is in the works. References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=744204
- https://wiki.mozilla.org/Security/Features/CA_pinning_functionality
- https://tools.ietf.org/html/draft-evans-palmer-key-pinning-00
Not perfect, not only pinning the certificate fingerprint, still depending on two CA's but at least not on a massive amount of them.
Once done, we should apply for it.
Related:
T84