When a browser finds an URL in a document that begins “https ...” and is directed to connect to the indicated server it may come to a point where the server has delivered a cert chain where the bottom of the chain is a cert with the server’s public key. So far no change. Now proposed new browser logic extracts that public key, computes its fingerprint, expresses that base64 and looks to see if any of the domain name components exactly match the fingerprint. If any component matches, skip the normal cert logic and take the public key as valid. Otherwise proceed with the normal X.509 logic.

Here is a rambling note on this, with some ramifications. Note that there are no modifications in site logic, merely a normal introduction of an unusual host name to the normal DNS service. Users need not be aware of this.

Does X.509 solve any remaining problem? Well some cite the idea of seeing a short URL on the side of a bus and typing it in. If you recognize a company name in the URL this gives you some indication of relating a prior company reputation with the site you find. I think that is rare and getting rarer; it does happen.

Are new vulnerabilities introduced? The probability that an accidental match occurs is about that of a key fingerprint collision.