diff --git a/src/vs/platform/remote/common/remoteAuthorityResolver.ts b/src/vs/platform/remote/common/remoteAuthorityResolver.ts
index d2f056af402..163eb7223c0 100644
--- a/src/vs/platform/remote/common/remoteAuthorityResolver.ts
+++ b/src/vs/platform/remote/common/remoteAuthorityResolver.ts
@@ -15,6 +15,13 @@ export interface ResolvedAuthority {
 	readonly connectionToken: string | undefined;
 }
 
+export enum RemoteTrustOption {
+	Unknown = 0,
+	DisableTrust = 1,
+	MachineTrusted = 2,
+	MachineUntrusted = 3
+}
+
 export interface ResolvedOptions {
 	readonly extensionHostEnv?: { [key: string]: string | null };
 }
diff --git a/src/vs/vscode.proposed.d.ts b/src/vs/vscode.proposed.d.ts
index 2fcc5cf1f20..8bf049a5403 100644
--- a/src/vs/vscode.proposed.d.ts
+++ b/src/vs/vscode.proposed.d.ts
@@ -80,8 +80,17 @@ declare module 'vscode' {
 		constructor(host: string, port: number, connectionToken?: string);
 	}
 
+	export enum RemoteTrustOption {
+		Unknown = 0,
+		DisableTrust = 1,
+		MachineTrusted = 2,
+		MachineUntrusted = 3
+	}
+
 	export interface ResolvedOptions {
 		extensionHostEnv?: { [key: string]: string | null; };
+
+		trust?: RemoteTrustOption;
 	}
 
 	export interface TunnelOptions {
diff --git a/src/vs/workbench/api/common/extHost.api.impl.ts b/src/vs/workbench/api/common/extHost.api.impl.ts
index cd9fbb04c2e..b93758e793c 100644
--- a/src/vs/workbench/api/common/extHost.api.impl.ts
+++ b/src/vs/workbench/api/common/extHost.api.impl.ts
@@ -85,6 +85,7 @@ import { IExtHostSecretState } from 'vs/workbench/api/common/exHostSecretState';
 import { ExtHostEditorTabs } from 'vs/workbench/api/common/extHostEditorTabs';
 import { IExtHostTelemetry } from 'vs/workbench/api/common/extHostTelemetry';
 import { ExtHostNotebookKernels } from 'vs/workbench/api/common/extHostNotebookKernels';
+import { RemoteTrustOption } from 'vs/platform/remote/common/remoteAuthorityResolver';
 
 export interface IExtensionApiFactory {
 	(extension: IExtensionDescription, registry: ExtensionDescriptionRegistry, configProvider: ExtHostConfigProvider): typeof vscode;
@@ -1240,6 +1241,7 @@ export function createApiFactoryAndRegisterActors(accessor: ServicesAccessor): I
 			InlineHint: extHostTypes.InlineHint,
 			InlineHintKind: extHostTypes.InlineHintKind,
 			RemoteAuthorityResolverError: extHostTypes.RemoteAuthorityResolverError,
+			RemoteTrustOption: RemoteTrustOption,
 			ResolvedAuthority: extHostTypes.ResolvedAuthority,
 			SourceControlInputBoxValidationType: extHostTypes.SourceControlInputBoxValidationType,
 			ExtensionRuntime: extHostTypes.ExtensionRuntime,
diff --git a/src/vs/workbench/services/extensions/common/extensionHostManager.ts b/src/vs/workbench/services/extensions/common/extensionHostManager.ts
index 5d158e414bf..b363ff4c1ff 100644
--- a/src/vs/workbench/services/extensions/common/extensionHostManager.ts
+++ b/src/vs/workbench/services/extensions/common/extensionHostManager.ts
@@ -71,7 +71,7 @@ export class ExtensionHostManager extends Disposable {
 				return { value: this._createExtensionHostCustomers(protocol) };
 			},
 			(err) => {
-				console.error('Error received from starting extension host');
+				console.error(`Error received from starting extension host (kind: ${this.kind})`);
 				console.error(err);
 				return null;
 			}
diff --git a/src/vs/workbench/services/extensions/electron-browser/extensionService.ts b/src/vs/workbench/services/extensions/electron-browser/extensionService.ts
index 380d121f77e..73cd18b7959 100644
--- a/src/vs/workbench/services/extensions/electron-browser/extensionService.ts
+++ b/src/vs/workbench/services/extensions/electron-browser/extensionService.ts
@@ -42,6 +42,9 @@ import { Schemas } from 'vs/base/common/network';
 import { ExtensionHostExitCode } from 'vs/workbench/services/extensions/common/extensionHostProtocol';
 import { updateProxyConfigurationsScope } from 'vs/platform/request/common/request';
 import { ConfigurationScope } from 'vs/platform/configuration/common/configurationRegistry';
+import { IDialogService } from 'vs/platform/dialogs/common/dialogs';
+
+const MACHINE_PROMPT = false;
 
 export class ExtensionService extends AbstractExtensionService implements IExtensionService {
 
@@ -69,6 +72,7 @@ export class ExtensionService extends AbstractExtensionService implements IExten
 		@IRemoteExplorerService private readonly _remoteExplorerService: IRemoteExplorerService,
 		@IExtensionGalleryService private readonly _extensionGalleryService: IExtensionGalleryService,
 		@ILogService private readonly _logService: ILogService,
+		@IDialogService private readonly _dialogService: IDialogService,
 	) {
 		super(
 			new ExtensionRunningLocationClassifier(
@@ -358,6 +362,27 @@ export class ExtensionService extends AbstractExtensionService implements IExten
 				return;
 			}
 
+			if (MACHINE_PROMPT) {
+				const dialogResult = await this._dialogService.show(
+					Severity.Warning,
+					nls.localize('machineTrustQuestion', "Do you trust the machine you're connecting to?"),
+					[nls.localize('yes', "Yes, connect."), nls.localize('no', "No, disconnect.")],
+					{
+						cancelId: 1,
+						useCustom: true,
+						// checkbox: { label: nls.localize('remember', "Remember my choice"), checked: true }
+					}
+				);
+
+				if (dialogResult.choice !== 0) {
+					// Did not confirm trust
+					this._notificationService.notify({ severity: Severity.Warning, message: nls.localize('trustFailure', "Refused to connect to untrusted machine.") });
+					// Proceed with the local extension host
+					await this._startLocalExtensionHost(localExtensions);
+					return;
+				}
+			}
+
 			// set the resolved authority
 			this._remoteAuthorityResolverService._setResolvedAuthority(resolverResult.authority, resolverResult.options);
 			this._remoteExplorerService.setTunnelInformation(resolverResult.tunnelInformation);