top | item 46650004

(no title)

jdsully | 1 month ago

At some point it makes sense to just let us use self signed certs. Nobody believes SSL is providing attestation anyways.

discuss

vimda|1 month ago

A lot corporate environments load their root cert and MITM you anyway

sgjohnson|1 month ago

A lot of applications implement cert pinning for this exact reason

woodruffw|1 month ago

What does attestation mean in this context? The point of the Web PKI is to provide consistent cryptographic identity for online resources, not necessarily trustworthy ones.

(The classic problem with self-signed certs being that TOFU doesn’t scale to millions of users, particularly ones who don’t know what a certificate fingerprint is or what it means when it changes.)

cpach|1 month ago

Then you might as well get rid of TLS altogether.

jdsully|1 month ago

You'd still want in transit encryption. There are other methods than centralized trust like fingerprinting to detect forgeries.