this post was submitted on 07 Apr 2025
364 points (98.1% liked)
Privacy
36771 readers
164 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Tofu stands for Trust on First Use. So basically, you would get an SSL certificate from the website the very first time you connected to it, instead of trusting a certificate authority. Then, if the SSL certificate changed, you would then be warned that the certificate had changed and would have to decide whether to trust the new certificate or not trust the new certificate. That's why I said perhaps search engines could index certificates and tell you how long the certificate has been active and you could check several engines quickly to determine whether each engine has the same certificate indexed for the same website and if they did not then you would know something might be up.
I don't feel like this adequately accounts for stupid people though. The number of times I've seen people freak out over a perfectly legit website because a cert warning popped up or others who have ignored the warning and clicked through to a scam or malware... ๐คฆโโ๏ธ
Decentralization comes with some casualties, and stupid people might just be those casualties.
Oh, this is certainly complex logic (for the search engine I mean).
Well, it really depends on if you want somebody to trust or not. If you don't want to trust anybody except yourself, then you can just use Tofu and be good with it. The only reason I brought up using search engines as an index is just to give people a place to look.
If I want to visit CNBC and I've never visited them before, I could just go straight to CNBC and trust their certificate right away. Or, if I wanted to confirm that the CNBC certificate was likely valid, I could ask DuckDuckGo, Google, and Quant. And if they all agreed that they had the same certificate that I was getting, I'd be more likely to think that it's valid.
This is actually a great idea. Is there an opensource implementation of it?
Well, you can just generate your own SSL certificate on your machine, locally. I believe you can probably do it with OpenSSL. I've only done it with my Monero node, and they offer a binary, which will generate a certificate for you. I would just look up how to create a self-signed SSL certificate. My guess is it's just a few commands in the terminal.
No, I meant the logic where the browser would prompt the user to review and verify the cert for a particular website without consulting a CA. I run some self-signed certs already but I'd love to implement this in my homelab.
Oh, that was an idea for a way to do it. Not anything that's been implemented, or at least not to my knowledge.