Comment 21 for bug 239360

Regarding the statement: "You should only add this exception if you have
already confirmed the information yourself."

Most users will not understand what it is that must be confirmed. They will
think "I am looking for a cert for site X (e.g. paypal.com) and this cert
claims to be for paypal.com, so I confirm this information". They will not
understand that it is not enough to confirm that the cert contains the
intended site name or the intended company name. It is necessary to confirm
that the value of the PUBLIC KEY in the in the cert is actually the public
key belonging to the rightful owner/operator of the named site. In general,
that can only be confirmed by ASKING the site owner/operator to confirm it,
and doing so through channels that are known to lead to the rightful owner/operator. Sending email to the email address in the attacker's cert
for confirmation isn't good enough. It cannot be confirmed by a guess by the
browser user. IMO, if we don't spell that out, many people will erroneously "confirm" the wrong information, and be victims.

Maybe we need a link to a page on "how to confirm the information in this cert".