Conversation

Notices

1. Embed this notice
   Hyolobrika (hyolobrika@social.fbxl.net)'s status on Monday, 09-Sep-2024 07:22:48 JST Hyolobrika
   i wonder if I could configure my browser to accept self-signed certificates?
   • Embed this notice
     Hyolobrika (hyolobrika@social.fbxl.net)'s status on Monday, 09-Sep-2024 07:22:45 JST Hyolobrika

     in reply to

     • m0xEE
     @m0xee More websites in the software freedom focussed nerdosphere should use self-signed certs and rely on TOFU like Gemini does.
     
     You don't need permission from a certificate authority then, much more independent.
   • Embed this notice
     m0xEE (m0xee@social.librem.one)'s status on Monday, 09-Sep-2024 07:22:46 JST m0xEE

     in reply to

     @Hyolobrika
     It also keeps the fingerprints so if you get a different cert on a later visit, it will give you a warning again.
     To simplify adding an exception on the first visit you might want to consider this: http://kb.mozillazine.org/Browser.xul.error_pages.expert_bad_cert

   • Embed this notice
     Hyolobrika (hyolobrika@social.fbxl.net)'s status on Monday, 09-Sep-2024 07:22:46 JST Hyolobrika

     in reply to

     • m0xEE
     @m0xee TIL that Firefox does that. Chromium as well?
   • Embed this notice
     m0xEE (m0xee@social.librem.one)'s status on Monday, 09-Sep-2024 07:22:47 JST m0xEE

     in reply to

     @Hyolobrika
     It almost works like that already.
     When you open a page on a server with self-signed cert, it gives you a warning, if you accept it, it adds an exception for that cert — you can see the list in preferences under Privacy & Security → Certificates → View certificates → Servers

   • Embed this notice
     Hyolobrika (hyolobrika@social.fbxl.net)'s status on Monday, 09-Sep-2024 07:22:48 JST Hyolobrika

     in reply to

     Would have to be with a very noticable warning. Other than that, it could use TOFU like Gemini.

   • Embed this notice
     feld (feld@friedcheese.us)'s status on Monday, 09-Sep-2024 07:37:07 JST feld

     in reply to
     @Hyolobrika Yes, you just import it into your OS's certificate store. If you operate your own CA root you can just import that one cert into every device and they'll all recognize your self-signed certs as trusted.
     
     This is harder to do on Linux which has far less mature concept of a global certificate store and may even differ between distros (last I checked RHEL has the best solution and I tried to get traction cloning their scripts for managing certs and blacklists into FreeBSD), but it has improved a ton within the last 5 or so years.
   • Embed this notice
     feld (feld@friedcheese.us)'s status on Monday, 09-Sep-2024 22:23:44 JST feld

     in reply to

     • m0xEE
     @Hyolobrika @m0xee PGP revocation requires that you search the same keyservers for the revocation that they published it to. If they didn't publish it where you'll find it you're screwed.
     
     But yeah theoretically you could have a private CRL server if we could get OSes and browsers to let us configure it
   • Embed this notice
     Hyolobrika (hyolobrika@social.fbxl.net)'s status on Monday, 09-Sep-2024 22:23:45 JST Hyolobrika

     in reply to

     • m0xEE
     Doesn't PGP do that with revocation certificates?
     Why can't TLS do the same thing?
   • Embed this notice
     m0xEE (m0xee@social.librem.one)'s status on Monday, 09-Sep-2024 22:23:46 JST m0xEE

     in reply to

     @Hyolobrika @Hyolobrika
     Self-signed certs do not provide the capability to revoke them. Imagine that a malicious actor isn't just spoofing the site you trust with their own self-signed cert, but that the private key got compromised. With self-signed certs you have no way of telling users that the already trusted certificate is no longer valid, such a capability implies some sort of infrastructure and infrastructure implies hierarchy as someone has to operate it🤷