←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 6 comments | 25 Jul 23 14:10 UTC | HN request time: 0.001s | source | bottom
Show context
superkuh ◴[25 Jul 23 14:15 UTC] No.36862573[source]
Google/Microsoft/Apple essentially did this with HTTP/3 too. None of their shipped browsers are able to connect to a non-"CA TLS" HTTP/3 endpoint. To host a HTTP/3 website visitable by a random normal person you have to get continued approval (every 3 months min) from a third party CA corporation for your website.
replies(2): >>36862591 #>>36863130 #
2OEH8eoCRo0 ◴[25 Jul 23 14:17 UTC] No.36862591[source]
What do you mean approval? You'd need a cert from an entity like Let's Encrypt?
replies(1): >>36862610 #
superkuh ◴[25 Jul 23 14:18 UTC] No.36862610[source]
Yep. LetsEncrypt is great but everyone centralizing in them is not so great. Normal browsers having the ability to connect to a bare HTTP endpoint in HTTP/3 would solve any problems that might arise from this centralization. It's a straightforwards and easy thing to fix for the HTTP/3 lib devs and mega-corp browsers using those libs. But no one cares about it.
replies(4): >>36862723 #>>36862727 #>>36863143 #>>36863452 #
packetlost ◴[25 Jul 23 14:26 UTC] No.36862723[source]
Kinda surprised there isn't a few CAs that set up Let's Encrypt-like automated infrastructure that charge a small subscription fee for certificates. I'd pay $1-$3/m or so for preventing a mono-culture + big attack surface, but don't really want to give up the convenience of Let's Encrypt.

I know there's a big barrier to entry for being a CA (as there should be), but it shouldn't be impossible.

replies(2): >>36862744 #>>36865061 #
1. Avamander ◴[25 Jul 23 14:27 UTC] No.36862744[source]
> Kinda surprised there isn't a few CAs that set up Let's Encrypt-like automated infrastructure that charge a small subscription fee for certificates.

There are other ACME-compatible CA's.

replies(1): >>36862805 #
2. packetlost ◴[25 Jul 23 14:31 UTC] No.36862805[source]
Oh? Examples?
replies(1): >>36862858 #
3. capableweb ◴[25 Jul 23 14:34 UTC] No.36862858[source]
https://zerossl.com/ is a popular alternative. https://www.buypass.com/ is another one I haven't personally tried.
replies(2): >>36863059 #>>36863145 #
4. ehhthing ◴[25 Jul 23 14:47 UTC] No.36863059{3}[source]
Also Google Trust Services has free certificates although you need a Google Cloud project for it.
replies(1): >>36863087 #
5. capableweb ◴[25 Jul 23 14:48 UTC] No.36863087{4}[source]
Not sure Google is a great alternative if you want to prevent further centralization of CAs :)
6. packetlost ◴[25 Jul 23 14:52 UTC] No.36863145{3}[source]
Oh cool, I couldn't find those on Google. I'll check them out