[valenterry]

Yes it is. Hashes must absolutely be used in that case.

[LtWorf]

It should just not be done at all. But the main browser vendor loves tracking so they won't forbid this.

[Thorrez]

Are you saying Chrome should block all script includes that don't have hashes? That'll break tons of sites. See "Don't break the web"[1].

Disclosure: I work at Google, but not on Chrome.

[1] https://flbrack.com/posts/2023-02-15-dont-break-the-web/

[LtWorf]

Also expired certificates break a lot of websites… should we disable checking?

[ameliaquining]

Certificate expiration isn't an unanticipated regression. You know when you get a certificate when it will expire.

[hyperdimension]

I don't mean to be pedantic, but not always--see the recent DigiCert delayed revocation issues. I will admit it is rare though and more often than not, you (should) know when your certs are going to expire.

[Thorrez]

Those websites set up the expiring certificate themselves.

[valenterry]

Maybe, but just from a security point of view it's totally fine.

[LtWorf]

Getting tracked is less secure than not getting tracked.

[SideQuark]

Getting hacked is less secure than getting tracked.

[LtWorf]

Very clever. But getting tracked doesn't in any way protect you from getting hacked. It just exposes you to more risks, including getting hacked.

[valenterry]

Fair enough.