I just took surf to badssl.com to test how the TLS implementation in surf reacts. To test I took the default Arch Linux package for a ride. It failed the test. This is because by default: static Bool strictssl = FALSE;
Without this set to TRUE, the browser effectively does not look at the certificate. I understand the reason for turning it off (the whole PKI, X.509, HSTS, CSP, HPKP, and now freaking preload lists methodology sucks and DANE can't come soon enough), but to me this doesn't feel like the right way to hand invalid certificates by default (if the person chooses to turn off certificate validation, power to them). Would it not make more sense to allow the user to add the certificate's identity to a file in ~/.surf/ much like OpenSSH does? You can show it to them and ask if it is correct, then add it if they accept. This way only that file and cafile need to be tested for certificate validity, thus keeping the complexity arguably low. Setting this as the default means users are not locked out of sites with (for example) self signed certificates while also giving them a heads up on MITM attacks.
