Should we use TLS certificates for the server?

[IntegratedQuantum]

While #1737 does prevent a man in the middle from stealing an existing account after you joined the server once, there is still the possibility of taking over your account when you join for the first time.
This could be fixed by properly checking the server certificate using TLS.

Joining by direct IP should of course always remain without the certificate check.

This would require either relying on the existing certificate authority infrastructure (how easy is it to get a certificate nowadays?), or making our own certificate authority (since we control the application this is actually a valid option).
Making our own certificate authority could have certain advantages, since we have control over who gets a certificate (→we could effectively ban servers that misbehave, that could also be seen as a disadvantage though), and how much they pay for it(→this could be a potential revenue source if the project grows).

[Argmaster]

This would require either relying on the existing certificate authority infrastructure (how easy is it to get a certificate nowadays?),

It's trivial: https://letsencrypt.org/

Making our own certificate authority could have certain advantages, since we have control over who gets a certificate (→we could effectively ban servers that misbehave, that could also be seen as a disadvantage though),

It's open source project, people will just edit in a different one.

and how much they pay for it(→this could be a potential revenue source if the project grows).

It's open source prohect, people will just edit in a different one.

The point of TLS is not to ensure that the server is safe in a literal "not a bad party" meaning, but that the communication is safe from interception.

Also, considering development of government regulations of what should be blocked and what not we should make it as impossible as possible to block servers. Otherwise you will end up with a bunch of lawyers telling you that you must ban x and y server right now.

That last part suggests that we should support adding custom authorities to bypass potential bans in the existing infrastructure.

Free as in speech, not free as in beer.