←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 8 comments | 25 Jul 23 14:10 UTC | HN request time: 0.001s | source | bottom
Show context
superkuh ◴[25 Jul 23 14:15 UTC] No.36862573[source]
Google/Microsoft/Apple essentially did this with HTTP/3 too. None of their shipped browsers are able to connect to a non-"CA TLS" HTTP/3 endpoint. To host a HTTP/3 website visitable by a random normal person you have to get continued approval (every 3 months min) from a third party CA corporation for your website.
replies(2): >>36862591 #>>36863130 #
2OEH8eoCRo0 ◴[25 Jul 23 14:17 UTC] No.36862591[source]
What do you mean approval? You'd need a cert from an entity like Let's Encrypt?
replies(1): >>36862610 #
superkuh ◴[25 Jul 23 14:18 UTC] No.36862610[source]
Yep. LetsEncrypt is great but everyone centralizing in them is not so great. Normal browsers having the ability to connect to a bare HTTP endpoint in HTTP/3 would solve any problems that might arise from this centralization. It's a straightforwards and easy thing to fix for the HTTP/3 lib devs and mega-corp browsers using those libs. But no one cares about it.
replies(4): >>36862723 #>>36862727 #>>36863143 #>>36863452 #
1. packetlost ◴[25 Jul 23 14:26 UTC] No.36862723[source]
Kinda surprised there isn't a few CAs that set up Let's Encrypt-like automated infrastructure that charge a small subscription fee for certificates. I'd pay $1-$3/m or so for preventing a mono-culture + big attack surface, but don't really want to give up the convenience of Let's Encrypt.

I know there's a big barrier to entry for being a CA (as there should be), but it shouldn't be impossible.

replies(2): >>36862744 #>>36865061 #
2. Avamander ◴[25 Jul 23 14:27 UTC] No.36862744[source]
> Kinda surprised there isn't a few CAs that set up Let's Encrypt-like automated infrastructure that charge a small subscription fee for certificates.

There are other ACME-compatible CA's.

replies(1): >>36862805 #
3. packetlost ◴[25 Jul 23 14:31 UTC] No.36862805[source]
Oh? Examples?
replies(1): >>36862858 #
4. capableweb ◴[25 Jul 23 14:34 UTC] No.36862858{3}[source]
https://zerossl.com/ is a popular alternative. https://www.buypass.com/ is another one I haven't personally tried.
replies(2): >>36863059 #>>36863145 #
5. ehhthing ◴[25 Jul 23 14:47 UTC] No.36863059{4}[source]
Also Google Trust Services has free certificates although you need a Google Cloud project for it.
replies(1): >>36863087 #
6. capableweb ◴[25 Jul 23 14:48 UTC] No.36863087{5}[source]
Not sure Google is a great alternative if you want to prevent further centralization of CAs :)
7. packetlost ◴[25 Jul 23 14:52 UTC] No.36863145{4}[source]
Oh cool, I couldn't find those on Google. I'll check them out
8. seabass-labrax ◴[25 Jul 23 16:35 UTC] No.36865061[source]
I think that Let's Encrypt gets a lot of undeserved criticism for being the only major ACME-compatible CA. Yes, it's not so good to have monopolies on authenticity, but Let's Encrypt was founded by Mozilla, the EFF and the University of Michigan and was endorsed by the FSF.

That's a pretty good set of organisations when considering the general status of the internet, and a set that doesn't overlap with the major players in consumer technology (Apple, Microsoft and Google).