TOFU doesn’t actually work. If you set up a TOFU cert environment, 100% of non-security people will click right through it, and 95% of security people will also click right through it.

They’ll just assume that because it was untrusted the first time, that cert errors are normal and ignore it. Especially since they will have a “first use” for every new device and every new browser they visit with.

Funny how some people claim no one will ever click thru the TOFU warning screen because it's too scary and unfamiliar, whilst others say users will just click thru everything.

There’s an important distinction. My claim is that once a user is trained how to ignore a cert error for a particular site and add an exception, they will no longer pay any mind to that site or environment giving cert errors.

The general public, when surfing and hitting a cert error on a random site, will usually disengage.

If you've added a persistent exception, that means you've trusted that cert on your device so getting further cert errors would surely be unexpected.