User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Build ID: 20140924083558 Steps to reproduce: Intelligence agencies and other criminals use TLS-certificates gained from CAs by trickery to run Man-In-The-Middle attacks against Firefox users which rely on TLS-encryption and -authorization. Actual results: MITM-Attack is successful if no other authentication mechanism is used than CAs. Certifcate pinning is only managable for a few well-used domains but not for the mass of existing domains. Expected results: Firefox uses "Domain Authenticated Named Entities" according to IETF RFC 6698 (http://tools.ietf.org/pdf/rfc6698) to validate the TLS-certificate. Two traffic-lights should show the states: DNSSEC: Green: DNSSEC-validation successful Yellow: No DNSSEC-RRs for hostname Red: Validation of DNSSEC-RRs failed DANE: Green: TLSA-validation successful Yellow: No TLSA-RRs for hostname Red: Validation of TLSA-RRs failed In both "Red"-cases Firefox should refuse to load/display data and show an error message. DNSSEC-proxying with DO-/AD-bit is snake-oil as a MITM-attacker can suppress DNSSEC and forge plain DNS resource records. Do not use it!

Have a look at the Firefox-Addon "DNSSEC/TLSA Validator" (https://www.dnssec-validator.cz/) for implementation details.

Hello, DANE support is still missing from Firefox. Since Firefox 57 any options to implement DANE support via extensions also eliminated. I think Firefox can benefit from DANE implementation because sites with DANE-only certificates will attract additional auditory for Firefox browser (and vice versa).