Mozilla is considering pinning keys on first site access. So the only way to MITM false certs is during the first access (which makes it same to ssh's flaw on server fingerprint (aka ~/.ssh/known_hosts)).
I would love it
The only way to provide this sort of pinning with any browser is to delete all trusted CAs before browsing any HTTPS site.