I just took surf to badssl.com to test how the TLS implementation in
surf reacts. To test I took the default Arch Linux package for a ride.
It failed the test. This is because by default:
static Bool strictssl = FALSE;
Without this set to TRUE, the browser effectively does not look at the
certificate. I understand the reason for turning it off (the whole PKI,
X.509, HSTS, CSP, HPKP, and now freaking preload lists methodology sucks
and DANE can't come soon enough), but to me this doesn't feel like the
right way to hand invalid certificates by default (if the person chooses
to turn off certificate validation, power to them).
Would it not make more sense to allow the user to add the certificate's
identity to a file in ~/.surf/ much like OpenSSH does? You can show it
to them and ask if it is correct, then add it if they accept. This way
only that file and cafile need to be tested for certificate validity,
thus keeping the complexity arguably low. Setting this as the default
means users are not locked out of sites with (for example) self signed
certificates while also giving them a heads up on MITM attacks.