Hacker News new | past | comments | ask | show | jobs | submit login

And looping back to the tin-foil hatters, many of us have called into question why all browsers have, over time, decreased their support for self-signed certificates. There are modes wherein Firefox will not even offer the "proceed anyway" option [1]. Conspiracy theories abound, but the browsers' marginalization of self-signed certificates has always struck me as devious.

Yes, please do alert users that self-signed certificates are potentially sourced by nefarious organizations. But in most cases, they are used by small companies and individuals to simply encrypted content from trusted servers. So allow them to be permanently trusted.

Perhaps we will see an increase in interest in web-of-trust alternatives?

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=435013




You can, pretty trivially, import your private CA's public key into your keychain, and boom, no more warnings.

I do think that the average joe, doesn't know what a certificate or CA is, should be protected from automatically trusting an unknown CA.


I don't see it follows. If anything, self-signed certs just make it easier for the NSA (or anyone else) to capture your traffic. Organizations should probably set up their own CA instead.


That's what we meant. IIRC you can't even use a self-signed certificate directly for authentication: you have to create your own self-signed root CA, then use it to sign you authentication certificate.

The point is, if what you do interest the US government, it can compel Verisign and the likes to betray your trust, so you shouldn't trust them. And what emerges progressively is that the threshold beyond which you're deemed "interesting" by US administrations is way lower than long believed.

If you're a company doing international business, you want to secure your strategic communications with your own root CA, not with that of a company who can't say no to the government.


A CA outside the reach of the NSA would be really valuable right now. A free CA outside the reach of the NSA would save the world.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: