undefined | Better HN

0 pointsinsanitybit3y ago0 comments

Can you not just have it use a self signed certificate? I don't see why a CA would need to be involved at all, nor can I even imagine how that could be enforced at the protocol level.

This sounds like a red herring to me.

edit: Yeah I've more or less confirmed that self signed certs are perfectly fine in HTTP3. This is a big ball of nothing.

0 comments

rootusrootus3y ago

About half my personal (private, in my own home LAN) sites use self-signed certs that Chrome flat out won't accept. I have to type the magic key sequence to bypass the error. I do wish we could come up with something better for this kind of use case, then having to set up letsencrypt on my public domain and issue a wildcard cert to use with RFC1918 web sites.

And that's without worrying about HTTP/3.

somat3y ago

I wish there was an intermediate AH mode. the page is signed but not encrypted.

Or baring that I wish that browsers would ease up a bit and make tofu style self signed certs acceptable.

I really don't like how there is an expire time built into tls sites. Have you ever found someones old site, usually hosted by a university, that just lives year after year like a time capsule. well not gonna happen with tls.

And on the subject of CA's I don't think I trust them any more than a tofu model Have you looked and verified every authority in your CA file? Do you really trust the turkish government to be able to sign for any web site.

Aha! you say, this is why we have cert pinning.

To which my reply is. cert pinning is the tofu model where you have removed all user agency. it is better than the CA model but really sucks from a end user perspective. when thing go wrong, there is no easy way to fix it.

insanitybitOP3y ago

Add the certificate to your trusted store? HTTP3 will change nothing about this.

skrtskrt3y ago

Yeah this is just a browser setting - this complaint sounds in bad faith coming from someone who apparently knows about all the other aspects of using certs?

snowwrestler3y ago

If you control both the server and the client, you can make yourself your own private CA, issue all the certs you need, and have no browser errors anywhere.

bornfreddy3y ago

> I have to type the magic key sequence to bypass the error.

8 keys? f + i + r + e + f + o + x + Enter?

count3y ago

'thisisunsafe' to answer the actual question

X-Cubed3y ago

I suspect you're missing the subjectAltName field from your certificate(s).

https://developer.chrome.com/blog/chrome-58-deprecations/#re...

kevin_thibedeau3y ago

Use an empowered browser that lets you install your own private CA root.

ameliaquining3y ago

Chrome does let you install your own private CA root. GP's problem sounds like a misconfiguration on the certificate-generation side.

j / k navigate · click thread line to collapse