The plugin is the same for all users - not everyone who downloads and runs GnuPG knows how to verify it - but some people might go as far as to either compile it from source or ever decompile it. If they find something suspicious, they will report it so that other people who have downloaded the software can be aware. Same thing goes for the plugin (except that the plugin is easier to verify than a compiled binary.)
When I talk about people who can't review JavaScript or CAs, I'm talking about the average computer user. I am not saying that "verifying a plugin is easier than not trusting CAs that you don't trust." The average computer user doesn't care about CAs or JavaScript.
My point remains: a plugin can be verified by others who have downloaded it - a compromised CA is extremely difficult to detect.
1. just trusting the cert say for Amazon directly rather than trusting the chain of trust using CA (distrust all the root CA and just trust the cert of Amazon)
The plugin is the same for all users - not everyone who downloads and runs GnuPG knows how to verify it - but some people might go as far as to either compile it from source or ever decompile it. If they find something suspicious, they will report it so that other people who have downloaded the software can be aware. Same thing goes for the plugin (except that the plugin is easier to verify than a compiled binary.)
When I talk about people who can't review JavaScript or CAs, I'm talking about the average computer user. I am not saying that "verifying a plugin is easier than not trusting CAs that you don't trust." The average computer user doesn't care about CAs or JavaScript.
My point remains: a plugin can be verified by others who have downloaded it - a compromised CA is extremely difficult to detect.