Astro - Hacker News

10 comments

paulirish 2 hours ago

https://badssl.com/ also offers several test subdomains in the same vein.
ipython 2 hours ago

Interesting. Chrome (146, macOS) shows no error messages on the revoked cert pages, but Firefox does (also macOS).
[-]
- mcpherrinm an hour ago
  
  Yeah, Chrome only partly supports revocation (Not sure exactly the criteria, but our test sites don't match it).
- moralestapia an hour ago
  
  Same with Brave, so it is a Chromium thing.
lifis an hour ago

Vanadium, Chrome and Firefox (all for Android) all accept all the revoked certificates... But revoked.badssl.com is considered revoked
[-]
- RunningDroid 41 minutes ago
  
  > Vanadium, Chrome and Firefox (all for Android) all accept all the revoked certificates... But revoked.badssl.com is considered revoked
  Firefox Beta (150.0b7) is accepting all of the revoked certs on my device
bullen 2 hours ago

Meanwhile HTTP keeps working just fine and is decentralized.
Just "add your own crypto" on top, which is the ONLY thing a sane person would do.
3... 2... 1... banned?
[-]
- horsawlarway a minute ago
  
  to actually tackle this (on the off chance you're serious, I'm assuming not) - this doesn't work.
  The payload that implements your crypto cannot be delivered over http, because any intermediate party can just modify your implementation and trivially compromise it.
  If you don't trust TLS, you have to pre-share something. In the case of TLS and modern browser security, the "pre-shared" part is the crypto implementation running in the browser, and the default trusted store of root CAs (which lives in the browser or OS, depending).
  If you want to avoid trusting that, you've got to distribute your algorithm through an alternative channel you do trust.
- xandrius 2 hours ago
  
  Did you self-ban?
  [-]
  - bullen an hour ago
    
    XD Nope, more like self destruct! ;)