zlacker

[parent] [thread] 7 comments
1. sgammo+(OP)[view] [source] 2023-07-25 06:43:27
Can't you sign your own certificates? Whether people trust those is a different story. WAI is different because it breaks abstraction by asserting based on details which are otherwise invisible to the server.
replies(2): >>jiggaw+53 >>superk+DP
2. jiggaw+53[view] [source] 2023-07-25 07:13:07
>>sgammo+(OP)
> Can't you sign your own certificates?

Self-signed certificates are banned in HTTP/2 onwards, which is really irritating when it is used for internal server-to-server communications.

You have to set up a Root CA certificate and use that to sign a second certificate. It's the same thing but with extra steps.

replies(3): >>charci+U6 >>creato+v8 >>sgammo+r9
◧◩
3. charci+U6[view] [source] [discussion] 2023-07-25 07:46:08
>>jiggaw+53
I've never had an issue using HTTP/2 with a self signed cert.
◧◩
4. creato+v8[view] [source] [discussion] 2023-07-25 07:59:48
>>jiggaw+53
Huh? Self-signed certificates work with HTTP/2 in every browser I've tried it in, it just uses the usual trust-on-first-use system where you have to click past a warning.
◧◩
5. sgammo+r9[view] [source] [discussion] 2023-07-25 08:09:08
>>jiggaw+53
That's still self-signing. So the extra steps are immaterial to the point.
6. superk+DP[view] [source] 2023-07-25 13:37:03
>>sgammo+(OP)
You can. It's just that no browser that supports HTTP/3 will accept it as a legit endpoint with a valid root. So they won't connect to the HTTP/3 endpoint at all and you won't be able to access the HTTP/3 self-signed website.

And before anyone goes there, no, setting up your own root CA is not an option. Unless you get can Google/Apple/Mozilla/etc to include your root CA in their browser trust stores it doesn't help a random person visit your website at all.

replies(2): >>sgammo+SJ2 >>fruitr+wO3
◧◩
7. sgammo+SJ2[view] [source] [discussion] 2023-07-25 20:53:43
>>superk+DP
That's still self-signing. So the extra steps are immaterial to the point.
◧◩
8. fruitr+wO3[view] [source] [discussion] 2023-07-26 05:29:00
>>superk+DP
>You can. It's just that no browser that supports HTTP/3 will accept it as a legit endpoint with a valid root. So they won't connect to the HTTP/3 endpoint at all and you won't be able to access the HTTP/3 self-signed website.

So long as there's a way to bypass verification or configure the trust store I'm okay with it. Is there official policy stating that this won't be possible or is this prediction?

As I understand it the primary reason for this push is that non-technical users too often skip security warnings, but I'm of the position there MUST at least be a way to bypass verification no matter what (through keyboard combos or a configurable trust store).

[go to top]