zlacker

Google has already achieved this goal with their QUIC based HTTP/3. No implementation or use of HTTP/3 lib in any browser can connect to a webserver unless it gets the continued approval of a third party incorporated CA for TLS certs. With a 90 day renewal period that's basically just attestation of content every 90 days. If your site becomes illegal in an area (say, abortion information) then your CA TLS host can be pressured, cert revoked, and your site made unvisitable for all but uber geeks compiling their own HTTP/3 libs with special flags and linking them to $browser manually. There's no way to host a HTTP HTTP/3 site that's visitable. And no one minds. So...

Google could have avoided all of this blowback over WEI by simply calling it "HTTPS+ Everywhere" and pretending it helped user privacy only.

I'll grant there are a few more TLS CA options than possible WEI attestation options (if they really are to come from the OS vendors like the spec suggests). But not that many more and any legal pressure applicable to one is applicable to all. Both Google WEI and Google QUIC HTTP/3 are terrible and both need opposition or at least mitigation.

>>superk+(OP)
Can't you sign your own certificates? Whether people trust those is a different story. WAI is different because it breaks abstraction by asserting based on details which are otherwise invisible to the server.

>>superk+(OP)
Has one of the standard open ACME providers ever revoked a cert over content? Hellenic Academic and Research Institutions CA (HARICA) threatened to, but the renewal went through and everything is working fine on my end.

>>sgammo+z1
> Can't you sign your own certificates?

Self-signed certificates are banned in HTTP/2 onwards, which is really irritating when it is used for internal server-to-server communications.

You have to set up a Root CA certificate and use that to sign a second certificate. It's the same thing but with extra steps.

>>jiggaw+E4
I've never had an issue using HTTP/2 with a self signed cert.

>>jiggaw+E4
Huh? Self-signed certificates work with HTTP/2 in every browser I've tried it in, it just uses the usual trust-on-first-use system where you have to click past a warning.

>>jiggaw+E4
That's still self-signing. So the extra steps are immaterial to the point.

>>superk+(OP)
> If your site becomes illegal in an area (say, abortion information) then your CA TLS host can be pressured, cert revoked

oh please... scare monger more. Like great, let's attach your petty little gripe to something that people care about in order to maybe get them on your side. except you can't show any real examples of it truly applying, so you just have to hint like "oh, this is possible, just imagine".

>>sgammo+z1
You can. It's just that no browser that supports HTTP/3 will accept it as a legit endpoint with a valid root. So they won't connect to the HTTP/3 endpoint at all and you won't be able to access the HTTP/3 self-signed website.

And before anyone goes there, no, setting up your own root CA is not an option. Unless you get can Google/Apple/Mozilla/etc to include your root CA in their browser trust stores it doesn't help a random person visit your website at all.

>>superk+cR
That's still self-signing. So the extra steps are immaterial to the point.

>>superk+cR
>You can. It's just that no browser that supports HTTP/3 will accept it as a legit endpoint with a valid root. So they won't connect to the HTTP/3 endpoint at all and you won't be able to access the HTTP/3 self-signed website.

So long as there's a way to bypass verification or configure the trust store I'm okay with it. Is there official policy stating that this won't be possible or is this prediction?

As I understand it the primary reason for this push is that non-technical users too often skip security warnings, but I'm of the position there MUST at least be a way to bypass verification no matter what (through keyboard combos or a configurable trust store).