All web encryption is backed by static list of root certs each browser maintains... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		ApolloFortyNine 4 days ago \| parent \| context \| favorite \| on: Google flags Immich sites as dangerous All web encryption is backed by static list of root certs each browser maintains. Idk any other way to solve it for the general public (ideally each user would probably pick what root certs they trust), but it does seem crazy.

account42 3 days ago [–]

We already have a solution to solve it: DNS-based Authentication of Named Entities (DANE)

This solution is even more obvious today where most certificates are just DNS lookups with extra steps.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact