> How people still think the PKI system is actually delivering security is beyond me.
It has its problems, but it's what we've got to work with right now, and it's not as bad as you make it seem.
> it's identical to a self-signed cert, since Comodo is a known bad actor now
That's not technically true. I dislike Comodo as much as the next person, but this statement is a bit disingenuous, since you're implying that you can trust anyone who generates their own certificate for google.com or yourbank.com more than a CA-signed certificate. There's a reason PKI exists; it's because self-signed certificates by themselves aren't trustworthy in the wild.
But Comodo can issue a certificate for google.com or yourbank.com
They may have, for that matter. Do you check the issuer every time you go to a secure site? Do you trust them to do a better job securing either of those domains than they did with a large telecom in Austria?
And they have to do that precisely because there are 170 or so entities of various levels of dubiousness that are by default authorized to sign any certificate for any domain, and everybody knows that this is fundamentally a horrible idea.
For that matter, since HPKP requires sideband key management, it's
A) an admission that PKI doesn't actually work, and
B) a pretty clear example of why the CAs are unnecessary
If you have pinned certificates you are essentially operating exactly the way 99% of us do with SSH (only rather better because there are several million eyes on high-value certificates), which means you don't need CAs anymore.
Pins are either built into the browser by the vendor, or assigned on first access AFTER a successful server authentication (via the cert).
Pins are trusted/verified through another channel.
SSH Tofu trust occurs pre server authentication. It has no defense against an ALWAYS mitm. Of course there are far less ALWAYS MITM for SSH than TLS.
You have no way of validating the pubkey you have written to known_hosts against anything else.
> How people still think the PKI system is actually delivering security is beyond me.
It has its problems, but it's what we've got to work with right now, and it's not as bad as you make it seem.
> it's identical to a self-signed cert, since Comodo is a known bad actor now
That's not technically true. I dislike Comodo as much as the next person, but this statement is a bit disingenuous, since you're implying that you can trust anyone who generates their own certificate for google.com or yourbank.com more than a CA-signed certificate. There's a reason PKI exists; it's because self-signed certificates by themselves aren't trustworthy in the wild.