[Ach] bettercrypto.org cert blocked in chrome 56

Alice Wonder alice at librelamp.com
Mon Nov 28 23:23:50 CET 2016


On 11/28/2016 02:12 PM, Raoul Bhatia wrote:
> I've successfully transitioned existing StartSSL certificates + HPKP / HSTS to letsencrypt.sh (via the Debian package).
>
> I know I am not the first to do such a thing, but maybe you'd like to have some quick pointers to get this resolved ASAP.
>
> Raoul
>
> PS. The most important thing is to initially tell letsencrypt.sh to reuse an existing private key for requesting new certs.

And that is exactly why I never use HPKP - it does not give the system 
administrator any flexibility when a new cert / key is needed.

In theory there should be a backup key already with a pin to take care 
of cases where the private key is compromised, but as soon as you have 
to use it you are vulnerable to bricking the site for some users if that 
key needs to be revoked.

It also gives no flexibility whatsoever when you have to fire a system 
administrator who may have had access to private keys. Normally in that 
situation you generate new keys, but with HPKP you are stuck keeping the 
old keys active until the new keys have had their pins in the header 
longer than the TTL.

Why people like HPKP so much is a real mystery to me.



More information about the Ach mailing list