Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you really want to tackle SSL make it less stupid. Self-signed certificates? I want these pinned and treated as secure. I want a notification if they change around the time they expire and a really big warning if they don't.

If we must have central trust sources, then have central hash servers so when I visit a new self-signer I can externally verify the hash.



Say the owner of a website with a self-signed cert fears it might have been compromised, and decides to create a new cert. How is the user supposed to distinguish that from a MITM?


That's what the central hash servers are for. Am I being MITM'd? Well, ignoring a global adversary, the problem is usually local. But CA's don't solve the global problem either.


Wouldn't you have to tell the central servers about each and every site you visited?


How is a central has server, which could be blocked by an attacker or simply be down, better than having a central authority sign my certificate?




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: