Hacker News new | past | comments | ask | show | jobs | submit login

Can you not just have it use a self signed certificate? I don't see why a CA would need to be involved at all, nor can I even imagine how that could be enforced at the protocol level.

This sounds like a red herring to me.

edit: Yeah I've more or less confirmed that self signed certs are perfectly fine in HTTP3. This is a big ball of nothing.




About half my personal (private, in my own home LAN) sites use self-signed certs that Chrome flat out won't accept. I have to type the magic key sequence to bypass the error. I do wish we could come up with something better for this kind of use case, then having to set up letsencrypt on my public domain and issue a wildcard cert to use with RFC1918 web sites.

And that's without worrying about HTTP/3.


I wish there was an intermediate AH mode. the page is signed but not encrypted.

Or baring that I wish that browsers would ease up a bit and make tofu style self signed certs acceptable.

I really don't like how there is an expire time built into tls sites. Have you ever found someones old site, usually hosted by a university, that just lives year after year like a time capsule. well not gonna happen with tls.

And on the subject of CA's I don't think I trust them any more than a tofu model Have you looked and verified every authority in your CA file? Do you really trust the turkish government to be able to sign for any web site.

Aha! you say, this is why we have cert pinning.

To which my reply is. cert pinning is the tofu model where you have removed all user agency. it is better than the CA model but really sucks from a end user perspective. when thing go wrong, there is no easy way to fix it.


Add the certificate to your trusted store? HTTP3 will change nothing about this.


Yeah this is just a browser setting - this complaint sounds in bad faith coming from someone who apparently knows about all the other aspects of using certs?


If you control both the server and the client, you can make yourself your own private CA, issue all the certs you need, and have no browser errors anywhere.


> I have to type the magic key sequence to bypass the error.

8 keys? f + i + r + e + f + o + x + Enter?


'thisisunsafe' to answer the actual question


I suspect you're missing the subjectAltName field from your certificate(s).

https://developer.chrome.com/blog/chrome-58-deprecations/#re...


Use an empowered browser that lets you install your own private CA root.


Chrome does let you install your own private CA root. GP's problem sounds like a misconfiguration on the certificate-generation side.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: