top | item 33477237

(no title)

Seirdy | 3 years ago

QUIC does not require a CA. Self-signed or DANE-backed TLS certificates work fine. Try using cURL built with HTTP/3 support to see for yourself.

Requiring CAs and not implementing support for other anchors of trust is an implementation decision, and is not mandated by the spec. The spec mandates TLS 1.3, not "the version of TLS 1.3 used by these three web browsers". QUIC was designed with non-browser use in mind too; it's for any situation where you want to maintain connection integrity in an unreliable network.

discuss

superkuh|3 years ago

True in theory, not true in practice. It might work if all the random people on the internet used cURL to visit my websites but they tend to use browsers that are Chrome based. And Chrome's QUIC (or the underlying quiche library) differs how Chrome's H1 and H2 implement TLS. It will not accept a self-signed cert during a HTTP3 QUIC connection. Even going localhost (defeats the point, but to check) and trying --disable_certificate_verification --allow-insecure-localhost will not work.

Like I said, the megacorps that designed QUIC designed it for their use cases and that does not include allowing human people to host websites by themselves. Not if it potentially impacts e-commerce security. Their implementations reflect this.