Would have to be with a very noticable warning. Other than that, it could use TOFU like Gemini.
@Hyolobrika
It almost works like that already.
When you open a page on a server with self-signed cert, it gives you a warning, if you accept it, it adds an exception for that cert — you can see the list in preferences under Privacy & Security → Certificates → View certificates → Servers
@Hyolobrika
It also keeps the fingerprints so if you get a different cert on a later visit, it will give you a warning again.
To simplify adding an exception on the first visit you might want to consider this: http://kb.mozillazine.org/Browser.xul.error_pages.expert_bad_cert
You don't need permission from a certificate authority then, much more independent.
@Hyolobrika @Hyolobrika
Self-signed certs do not provide the capability to revoke them. Imagine that a malicious actor isn't just spoofing the site you trust with their own self-signed cert, but that the private key got compromised. With self-signed certs you have no way of telling users that the already trusted certificate is no longer valid, such a capability implies some sort of infrastructure and infrastructure implies hierarchy as someone has to operate it🤷
Why can't TLS do the same thing?
But yeah theoretically you could have a private CRL server if we could get OSes and browsers to let us configure it
@feld @Hyolobrika
Another problem with HTTPS and self-signed certs is that while Firefox was created in the days when self-signed certificates weren't considered bad. However, relying on centralised authorities became a tradition since, so newer software might be designed differently, e.g. rustls which has become the dominant Rust crate for TLS stuff, doesn't allow handling TOFU and self-signed certs cleanly: https://github.com/rustls/rustls/issues/435 for them it's "dangerous_configuration" 😩
@Hyolobrika @feld
Just noticed this reply, sorry. No, it's not just about stating the intent clearly, it's more of a build flag — you have to build this crate with support for handling such cases, by default this code just gets excluded, and as this isn't a default feature, I suppose it doesn't get tested as thoroughly, it might take time for the devs to notice that something is broken in that code. Which IMO is a quite different approach.
@feld @Hyolobrika
On one hand, Gemini might change this tradition — or rather create its own tradition, but on the other — in Gemini you simply don't have to deal with the same problems simply because of smaller user base and greater decentralisation. No government to my knowledge is willing it be MITMing Station, but I'm pretty sure there are quite a few willing to do that to Twitter or YouTube 😏