in my opinion, self-signatures should have been treated as something normal, with a warning only triggered if the site has been visited before and the signing key has changed
Two problems with self-signed Trust On First Use (TOFU):
-
Long-lived secrets without a revocation mechanism. Current approaches—OCSP and client-side CRL checking—all use the certificate authority (CA) system.
-
Zero defense against TLS stripping attacks during the initial connection. You need to know the connection is authentic without taking the response at its word.
You could implement revocation with your own server, but stripping attacks make it absolutely trivial for an intermediary to compromise a connection. Your initial connection is as authentic as an HTTP site, and all subsequent connections are only as secure as your initial connection. Hostile networks are increasingly the norm, so this isn’t a solid foundation.
A key-pinning system only works when backed by a separate source of trust. Examples include a CA or DNSSEC trust anchor (for DANE).
Unfortunately, HTTP Public Key Pinning never took off since admin errors could irrevocably nuke a site, and browser devs don’t want DANE without pinning.
banks and other sites needing higher-than-usual trust would still use authority-signed certificates
I disagree that good security should be limited to “big important players” rather than being the default behavior. “Normal” sites often feature popular interception targets such as donation links, contact methods, log-ins, etc.
If we’re going to get rid of the CA system, we should replace it first. Tor and Yggdrasil seem like interesting alternatives, though lacking domain names.