←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 1 comments | 25 Jul 23 14:10 UTC | HN request time: 0.478s | source
Show context
superkuh ◴[25 Jul 23 14:15 UTC] No.36862573[source]
Google/Microsoft/Apple essentially did this with HTTP/3 too. None of their shipped browsers are able to connect to a non-"CA TLS" HTTP/3 endpoint. To host a HTTP/3 website visitable by a random normal person you have to get continued approval (every 3 months min) from a third party CA corporation for your website.
replies(2): >>36862591 #>>36863130 #
2OEH8eoCRo0 ◴[25 Jul 23 14:17 UTC] No.36862591[source]
What do you mean approval? You'd need a cert from an entity like Let's Encrypt?
replies(1): >>36862610 #
superkuh ◴[25 Jul 23 14:18 UTC] No.36862610[source]
Yep. LetsEncrypt is great but everyone centralizing in them is not so great. Normal browsers having the ability to connect to a bare HTTP endpoint in HTTP/3 would solve any problems that might arise from this centralization. It's a straightforwards and easy thing to fix for the HTTP/3 lib devs and mega-corp browsers using those libs. But no one cares about it.
replies(4): >>36862723 #>>36862727 #>>36863143 #>>36863452 #
1. cyberax ◴[25 Jul 23 14:51 UTC] No.36863143[source]
Why? Just skip the CA verification when you use HTTP/3. Done.

While this is less secure than a verified certificate, it still avoids plaintext on the wire and requires an active MITM to eavesdrop.