[yamtaddle]

I think the concerns/difficulties are:

1) Business contexts. A local network maybe shouldn't be trusted, there, for security purposes. "OK, but they should set that with policies" which, yes, sure, but defaults do matter, so... I dunno, I can see why they'd prefer the safer default.

2) Lying DNS servers on a local-but-actually-public network (think: coffee shop wifi) directing you to a local address to bypass SSL protection while it proxies Amazon or your bank website or whatever, and steals your credentials.

3) IPv6 is supposed to render these distinctions rather moot (although, LOL, and also that's precisely one thing some folks don't like about it, but that's another topic)

[rootusrootus]

I agree there are things that would have to be worked out, to prevent opening new exploitable holes. How about we just add some ability to the browser to remember the site (fingerprint it somehow, perhaps) so that the security policy only has to be agreed to once. Kinda sorta similar to SSH remembering known hosts. Once I've told Chrome that my Unifi Dream Router is okay, or my Iotawatt, or Home Assistant, etc ... it should stop making me jump through hoops every time until something changes. And I don't ever want it to flat out tell me no, I cannot reach something on my home network with a low quality SSL implementation unless I blindly type "thisisunsafe" into the security window.

It's a pet peeve of mine, as you may have noticed. I have a lot of little random devices on my home network and many of them have no way (or no simple way, at least) of protecting with a real SSL certificate. Sometimes I'll go through the trouble of using nginx as a reverse proxy to hide the insecurity, but that isn't always easy to get working either.

[dadrian]

Chrome remembers certificate click-throughs for 2 weeks. That being said, there's definitely a bunch of room for improvement with local networks that we haven't quite sorted out yet.