[langarto]

Currently they trust everything in fact.

Why should I trust Digicert for example? When did I make that decission?

What does 'trust' mean if the decission is made by others?

[jefftk]

You trust Firefox (Mozilla), Mozilla trusts Digicert. If you don't trust Mozilla to make good security decisions, switch browsers. If you want to second-guess this particular decision, you can adjust your Firefox configuration.

[galaxyLogic]

As a developer what I find frustrating is that it is so difficult to make my browser trust 127.0.0.1.

Shouldn't there be an easy way to configure it to trust that?

[tsimionescu]

What does it mean to trust an IP address? If you found that a link took you to gmail.com on 127.0.0.1:8716, would you be fine with providing your gmail credentials to that site?

[galaxyLogic]

I would think I can trust anything on 127.0.0.1 because that can only be my local machine, right?

If there is something running on 127.0.0.1:8716 which I have not given permission to run then my machine is compromised already. No?

[gruez]

https://1.1.1.1/ is a thing. certificate used: https://crt.sh/?id=1044327786

[silon42]

If the site provides a trusted certificate for gmail.com, things are fine. IP shouldn't matter, port probably will.

[gruez]

AFAIK http://localhost is treated the same as https://localhost so you shouldn't need a self signed certificate.

[jaywalk]

https://localhost doesn't work without a self-signed certificate...

[jefftk]

Sure, but you can use http://localhost, and it will be treated as a secure origin

[saltminer]

Some Oauth providers require https (even for localhost), and if I'm using WebAuthn, I have to have a certificate.