Proposal: ENS record as trusted certificate authority for ENS (sub)domain(s)

Via the Ethereum Name Service (ENS), anyone can register an ENS domain (‘mydomain.eth’) name inside a widely recognized (just look at Twitter these days) smart contract on Ethereum, alongside a record that may contain auxiliary info, such as the hash of a static html website hosted on IPFS. Right now, you users can visit these websites by typing “” into their browser (ENS aware browsers such as Brave don’t even need the service), which the browser flags as secure.

I can think of no reason why our browsers should not be able to verify a secure connection to a webserver (beyond just a static IPFS site) as well. So I’m proposing the following change to Firefox trust store:

When ‘mydomain.eth’ is entered, the browser looks up the ENS record via the Web3 API. If the ENS record looks like a traditional DNS record (rather than an IPFS hash), it connects to the corresponding server IP and performs a TLS handshake. If the server’s TLS certificate is signed by the public key of the owner of ‘mydomain.eth’ domain, the browser shows the user that the connection is secure. An owner of an ENS domain effectively becomes the unique certificate authority for ‘mydomain.eth’ (and all its sub-domains).

Can we please make this happen? If not, what are the concerns of the Firefox dev team? There should not be a concern about missing revenue for Firefox from the Certificate Authorities: you could simply deploy a “Firefox Dev Fund” contract, where domain owners could donate a fixed amount to register their domain with Firefox, and the browser checks whether the domain was registered. I think domain owners would prefer to contribute to the FF dev fund than to the current centralized CAs, who only forward part of their revenue to you for browser development.

In my opinion, this would pave the way to a much less centralized - and therefore more secure - approach to TLS, that does not rely on certificate authorities. I’m optimistic that Chromium would eventually follow suit, just as they currently point to the Firefox community when it comes to these matters.

I’d be very happy to start the open source development of this system, if I know the FF dev team is open to this feature. It would be very few lines of code in total, both the ENS verification logic and “FF Dev Fund” contract.