Hacker News new | past | comments | ask | show | jobs | submit login

They do ? I had no idea. That sounds terrible.

I have not implemented key-pinning myself, but I always assumed you were pinning the key of the actual site you were communicating with ... sort of like SSH ...

That's not the case ?




You can pin to any of the public keys in your certificate chain, so that's the root cert, intermediate certs, or your own cert.

Most deployments currently pin to a main and backup CA. This is because HPKP makes it fairly easy to essentially brick your domain (Think: Heartbleed and a lost backup key. Say goodbye to your domain!). It's possible, but you better know what you're doing.


Wow. So there's no way to simply say "here is the public key that I expect to see for this website, and alert me if it's different" ?

Isn't that the simplest thing with the most utility ?

What am I missing here ?


"any of the public keys in your certificate chain" includes your own certificate, so yes, that's possible.

However, if your main and backup key is lost or compromised, you have essentially bricked your domain. That's why most real-life deployments pin to two CAs instead (since CAs are generally better at managing keys).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: