- replies
- 2
- announces
- 0
- likes
- 0
Would have to be with a very noticable warning. Other than that, it could use TOFU like Gemini.
@Hyolobrika
It almost works like that already.
When you open a page on a server with self-signed cert, it gives you a warning, if you accept it, it adds an exception for that cert — you can see the list in preferences under Privacy & Security → Certificates → View certificates → Servers
@Hyolobrika
It also keeps the fingerprints so if you get a different cert on a later visit, it will give you a warning again.
To simplify adding an exception on the first visit you might want to consider this: http://kb.mozillazine.org/Browser.xul.error_pages.expert_bad_cert
You don't need permission from a certificate authority then, much more independent.
How much vetting does Let's Encrypt do anyway? AFAIK not much.
Should be one colour (say, red) for errors and another (say, yellow) for self-signed. Sort of like the way Pixel bootloaders show green for official OS and yellow for unofficial but red for an error (IIRC).
@Hyolobrika @Hyolobrika
Self-signed certs do not provide the capability to revoke them. Imagine that a malicious actor isn't just spoofing the site you trust with their own self-signed cert, but that the private key got compromised. With self-signed certs you have no way of telling users that the already trusted certificate is no longer valid, such a capability implies some sort of infrastructure and infrastructure implies hierarchy as someone has to operate it🤷
@Hyolobrika @Hyolobrika
LetsEncrypt at the very least checks that it's indeed you who controls the DNS record — not much and it won't protect you from a malicious hoster (see jabber.ru case), but it might be useful against a malicious ISP and to a degree, a state actor. E.g. in Russia people are encouraged to install a new CA cert, then the state can make ISPs redirect the traffic to a forged website…
@Hyolobrika
…with self-signed cert your first visit might already be to a forged website, making you trust this "fake" cert, but with LetsEncrypt and the website out of the state's reach (not hosted in Russia) — you're safe.
@Hyolobrika
No, it's Mozilla's generic white on #1C1B22 (no idea what the name of this colour is) — but you can make it you way with userContent.css — and I never tried making these myself, but I'm pretty sure you can make an extension that does this — or, look it up, maybe someone already made one 🤷
@Hyolobrika
No idea, never used it 😏
But yeah theoretically you could have a private CRL server if we could get OSes and browsers to let us configure it
@Hyolobrika
It does — and it does have infrastructure for that, but as PGP has much smaller user base, keeping it up it isn't a problem.
Also, AFAIK while it is possible to revoke your certificate, you can't just update the entry in this DB if your key gets compromised in a straightforward way — as far as I recall, it involves jumping through lots of hoops.
@feld @Hyolobrika
Another problem with HTTPS and self-signed certs is that while Firefox was created in the days when self-signed certificates weren't considered bad. However, relying on centralised authorities became a tradition since, so newer software might be designed differently, e.g. rustls which has become the dominant Rust crate for TLS stuff, doesn't allow handling TOFU and self-signed certs cleanly: https://github.com/rustls/rustls/issues/435 for them it's "dangerous_configuration" 😩
@feld @Hyolobrika
On one hand, Gemini might change this tradition — or rather create its own tradition, but on the other — in Gemini you simply don't have to deal with the same problems simply because of smaller user base and greater decentralisation. No government to my knowledge is willing it be MITMing Station, but I'm pretty sure there are quite a few willing to do that to Twitter or YouTube 😏
@Hyolobrika @feld
Just noticed this reply, sorry. No, it's not just about stating the intent clearly, it's more of a build flag — you have to build this crate with support for handling such cases, by default this code just gets excluded, and as this isn't a default feature, I suppose it doesn't get tested as thoroughly, it might take time for the devs to notice that something is broken in that code. Which IMO is a quite different approach.