[coffee--]

It was years in the making for Firefox to be able to do "intermediate preloading" - we [0] had to make the policy changes for all intermediates to be disclosed, and then let that take effect [1].

Preloading like this shouldn't be necessary, I agree with the author, but worse than this is any bug report of "Works in Chrome, not in Firefox." Prior to this preloading behavior shipping in Firefox 75, incorrectly-configured certificate chains were a major source of those kind of bugs [2].

[0] This was me (:jcj) and Dana [1] https://wiki.mozilla.org/Security/CryptoEngineering/Intermed... [2] https://blog.mozilla.org/security/2020/11/13/preloading-inte...

[phh]

I find it pretty cool that you went through the length of publicly announcing it and everything for something that everyone else was doing already. That does show some integrity in face of "let's just make it work" people.

None-the-less, as a web developer (which I am less than 5% of my programming time, probably less, so I'd rather not lose my hair over adjacent stuff) this has been extremely frustrating to debug in the past. Would it be possible/make sense to show maybe a small yellow (i) as like a 8x8px icons at the bottom right of the lock to show that something's up? And then if the user clicks "more information" on the "secure connection" (which I believe is deep enough to be more power-user/developer-centered) show a yellow line saying "you're certificate chain's broken dude"?

I haven't hit this issue in several years, and it's unlikely I will hit it again because I'm now systematically using caddy as a front which will do TheRightThing (or so I hope), so maybe my comment is out-dated/irrelevant, in which case, feel free to ignore me.