zlacker

[return to "So, you don't like a web platform proposal"]
1. gymbea+Sb[view] [source] 2023-07-25 05:42:21
>>KoftaB+(OP)
It’s passive-aggressive as hell and I can tell this guy and the idea as a whole are DOA… like even if this scheme didn’t give off strong Amp vibes, Google is the last company we want spearheading something like this. Stop trying to stay relevant, Google.
◧◩
2. superk+Hg[view] [source] 2023-07-25 06:30:57
>>gymbea+Sb
Google has already achieved this goal with their QUIC based HTTP/3. No implementation or use of HTTP/3 lib in any browser can connect to a webserver unless it gets the continued approval of a third party incorporated CA for TLS certs. With a 90 day renewal period that's basically just attestation of content every 90 days. If your site becomes illegal in an area (say, abortion information) then your CA TLS host can be pressured, cert revoked, and your site made unvisitable for all but uber geeks compiling their own HTTP/3 libs with special flags and linking them to $browser manually. There's no way to host a HTTP HTTP/3 site that's visitable. And no one minds. So...

Google could have avoided all of this blowback over WEI by simply calling it "HTTPS+ Everywhere" and pretending it helped user privacy only.

I'll grant there are a few more TLS CA options than possible WEI attestation options (if they really are to come from the OS vendors like the spec suggests). But not that many more and any legal pressure applicable to one is applicable to all. Both Google WEI and Google QUIC HTTP/3 are terrible and both need opposition or at least mitigation.

◧◩◪
3. sgammo+gi[view] [source] 2023-07-25 06:43:27
>>superk+Hg
Can't you sign your own certificates? Whether people trust those is a different story. WAI is different because it breaks abstraction by asserting based on details which are otherwise invisible to the server.
◧◩◪◨
4. superk+T71[view] [source] 2023-07-25 13:37:03
>>sgammo+gi
You can. It's just that no browser that supports HTTP/3 will accept it as a legit endpoint with a valid root. So they won't connect to the HTTP/3 endpoint at all and you won't be able to access the HTTP/3 self-signed website.

And before anyone goes there, no, setting up your own root CA is not an option. Unless you get can Google/Apple/Mozilla/etc to include your root CA in their browser trust stores it doesn't help a random person visit your website at all.

◧◩◪◨⬒
5. fruitr+M64[view] [source] 2023-07-26 05:29:00
>>superk+T71
>You can. It's just that no browser that supports HTTP/3 will accept it as a legit endpoint with a valid root. So they won't connect to the HTTP/3 endpoint at all and you won't be able to access the HTTP/3 self-signed website.

So long as there's a way to bypass verification or configure the trust store I'm okay with it. Is there official policy stating that this won't be possible or is this prediction?

As I understand it the primary reason for this push is that non-technical users too often skip security warnings, but I'm of the position there MUST at least be a way to bypass verification no matter what (through keyboard combos or a configurable trust store).

[go to top]