[radicalbyte]

I'm no fan of the existing system of CA - in 2023 we should have certificate pinning for sites with mechanism for checking which certificate hashes are valid for which site (via a distributed ledger or via browser vendors etc).

However this amendment is disgusting.

I was one of the many experts reviewing previous drafts; the timing and content of these changes are absolutely an attempt by security services to break security on the web.

[Thorrez]

HPKP was generally not recommended even when it was still around due to the danger of breaking your site. https://scotthelme.co.uk/im-giving-up-on-hpkp/

[radicalbyte]

We're already all used to running ad/script block on our clients so accept a certain level of breakage. It's just a part of the cost of using the web that some sites are crap (youtube being the big one nowadays) but in the end we just "route around them" (they die).

[wolrah]

> We're already all used to running ad/script block on our clients so accept a certain level of breakage.

The "we" reading this post? Yeah, probably.

The internet population as a whole? Absolutely not, nowhere close.

I've been using Adblock or its descendants since the original Firefox extension where downloadable filter lists were a separate addon, and every time I have to browse a mainstream web site when using a "normal" person's computer it blows my mind how bad the experience is with all kinds of extra iframes I never normally see full of ads moving around, modals, etc. without even getting in to video content.

Normal people don't troubleshoot things like we do, if it doesn't work they try to do the same thing over and over again until they get bored or annoyed and then either move on or call one of us to "fix it".

[selfhoster11]

Exactly. Besides, why should a grandma lose online banking access because some IT guy (or gal, I'm not judging) fat-fingered a certificate revocation in production and now the site is broken?

[Thorrez]

>in the end we just "route around them" (they die)

My comment was about the perspective of the website owner, not the website user. The website owner certainly doesn't want to be routed around and have the website die. So the website owner will avoid HPKP.

[zajio1am]

We already have such system: DANE + DNSSEC. Unfortunately browsers vendors do not implement it.

[radicalbyte]

Interesting - I know DNSSEC (great solution) but haven't seen DANE. From a quick glance it looks like an obvious solution which should be implemented by the browser vendors and top sites.

[jeroenhd]

DNSSEC is a great concept with a rather convoluted design that's based on limitations of computers in the 90s. It's obviously better to have DNSSEC than not to, but I wouldn't call it a "great solution".

Case in point: the DNS client never actually validates the DNSSEC signatures, the DNS server the client uses is supposed to do that, and then simply sets a flag that says "I validated this". Perfect for recursive DNS resolvers running on localhost, but terrible for security when applied as designed.

Another example: Firefox currently has encrypted client hello enables to encrypt the SNI information and help combat traffic analysis, but only if you enable DoH to ensure that the necessary DNS records are correct. Once again, Mozilla didn't trust DNSSEC to work right and opted to trust DoH servers on their word.

In truth, DNSSEC isn't widely used, at least not internationally. Some TLDs have high DNSSEC usages, often because their registrar advocates for securing DNS, but with companies like Amazon failing to produce DNSSEC software that doesn't cause massive outages and TLDs like .nz going down for a day because of bad policies and management, many people don't bother.

It's a shame, really, because DANE would've fixed so many problems. I attribute its failure mostly to the design decisions the people behind DNSSEC made when they released the protocol.

[Metus]

> It's a shame, really, because DANE would've fixed so many problems.

It would basically make services like Let's Encrypt unnecessary and would move us close to a world where email encryption and validation works by default.

[Avamander]

It would take us to a world where the only CA you can and have to trust is the TLD operators and their nation. Where transparency is mostly an afterthought and violators can't be forced to do anything.

DNSSEC sucks ass.

[effie]

Why do we need that? CA system with TLS certificates works well, even while DNS is not trusted. It's a good solution for websites.