That wasn't the point I was making - you're still relying on Yahoo providing the public key which corresponds to a given email-address, nothing prevents Yahoo (or whichever third-party service you use) from decoding your messages under those conditions.
You're also relying that the third-party extension used for encryption hasn't been tampered with on their end.
Sorry, I may have misunderstood based on which kind of MITM you were talking about here :)
For the points you bring up, at least in the current nerfed extension they aren't really an issue. Key exchange does not happen through the extension or through yahoo, it has to happen out of band. In addition, since this is just the developer preview, AFAIK there is no extension distribution except through github (and so no updates to auto-download). You have to build and install the extension yourself.
Key exchange and extension verification are still two difficult remaining problems, but they are hopefully not insurmountable.
