Just because you don't have signed certificates you can still protect against MitM attacks. Your browser just has to remember what the certificate was the first time, and alert you it if changes.
Sound familiar? It should, ssh(1) does this by default.
What sort of person goes to a conference like Usenix and connects to an external server for the first time? I've been to a dozen conferences, all of whom I've used ssh at, and I've never connected to an external box for the first time.
I can't imagine what possible point you could be trying to make. Am I making this up or not? I doubt I am, but who cares? The issue with first-connection security in SSH is a fact, not an opinion.
Yes, first-connection security is not an option. But the vast majority of connections are not first connections.
If I ssh to a new box at home, then go to Usenix and ssh warns me that the host key changed I'll have protected against MitM attacks, even if the original connection wasn't authenticated.
That model works passably well for SSH connections. You make perhaps tens of those connections every day, from perhaps several devices.
It doesn't work at Internet scale. It's too insecure. It's very unlikely that key continuity is going to replace PKI in HTTPS.
Do I have strong opinions about PKI vs. key continuity? No. All I'm saying is that it's not a panacea. SSH-style key continuity is not the global solution for the certificate warning Firefox is annoying you with.
You realize that Firefox already does this, right? Just hit "add exception" when the dialog pops up. Look! It works just like SSH!
Arguably, the right way of doing it is to use both. PKI to auth first connect, remember the chain to prevent bad CAs from giving certs people pretending to be BoA.
If I had a dollar for every time a friend clicked a .exe email attachment, I'd be a very wealthy man. I damn sure don't trust my friends to verify the security of a cert.
I have some security-savvy friends (who I'd trust) and some not so smart friends (who I don't trust on this subject). So, the obvious idea is to put weight coefficients on WoT digraph edges. But I have a feeling that this would be too complicated to manage.
Your mom would trust you and then her friends would trust her, then they'd all get burned because she meant to click No one time and it would all be your fault.
I don't care how you set up the PKI. You can use a carrier pigeon trust network if you want. If you can beat SSL's PKI then brilliant. The important part is to use PKI to auth first contact and verify no unseemly changes happen during subsequent contacts by bothering to remember the previous cert chains.
considering about every third time i visit a high traffic site with ssl i get a new cert pushed to me, i don't think ssh is a good comparison.
also, perhaps i skipped over this, but tcpcrypt seems like a level of encryption well below application, thus if we did get a hijacker trying to 'change the self signed cert' after an initial connection (or just dropping the encryption) we wouldn't know, unlike ssl/browsers. am i incorrect?
Sound familiar? It should, ssh(1) does this by default.