32e4ca1c33f9868bad88d181d08783c6
TLS False Positives
Creative Commons Attribution-No Derivative Works 4.0
THE layers of additional complexity often make it hard to set up a Web site and to use a Web browser, confusing both system administrators and users. Geminispace with its capsules model (self-signed certificates) lowered the entry barrier, but the Web persists with the security theatre of chaos. In a nutshell, on the Web you're now expected not just to fully embrace HTTPS but also outsource control over it; many outsource to companies like ClownFlare, which in turn worsens privacy. It's almost a taboo to criticise this.
"The conclusion one can reach is that what used to be a simple protocol has been unnecessarily complicated. Developers too are struggling with this complexity, not just users. And they both suffer."In the video above I demonstrate that Kristall, a Gemini client with support for 3 or 4 other protocols, has an utterly dumb or broken way of handling TSL certificates for HTTPS. Why? It's OK with self-signed for Gemini but not HTTPS. But why? No good reasons! Upon closer scrutiny, the implementation of this is clearly buggy. The complexity messed it up. We should be 'forgiving' towards sites that self-sign certificates (many have legitimate reasons) and less 'forgiving' towards Web browsers that deny this. Who are they serving? Users? Sites? Or the CA cartel?
In the case of Kristall, it seems to boil down to a bug. But it's a very obnoxious one. The software does not seem to be very actively developed anymore (no commits since January), so we are guessing that a fix is not on the way.
The conclusion one can reach is that what used to be a simple protocol has been unnecessarily complicated. Developers too are struggling with this complexity, not just users. And they both suffer.
The Web is closing, it's getting locked down, and not in a positive way. ⬆