[Ach] bettercrypto.org cert blocked in chrome 56

sivmu sivmu at web.de
Tue Nov 29 00:04:58 CET 2016



Am 28.11.2016 um 23:23 schrieb Alice Wonder:
> On 11/28/2016 02:12 PM, Raoul Bhatia wrote:
>> I've successfully transitioned existing StartSSL certificates + HPKP /
>> HSTS to letsencrypt.sh (via the Debian package).
>>
>> I know I am not the first to do such a thing, but maybe you'd like to
>> have some quick pointers to get this resolved ASAP.
>>
>> Raoul
>>
>> PS. The most important thing is to initially tell letsencrypt.sh to
>> reuse an existing private key for requesting new certs.
> 
> And that is exactly why I never use HPKP - it does not give the system
> administrator any flexibility when a new cert / key is needed.
> 
> In theory there should be a backup key already with a pin to take care
> of cases where the private key is compromised, but as soon as you have
> to use it you are vulnerable to bricking the site for some users if that
> key needs to be revoked.
> 
> It also gives no flexibility whatsoever when you have to fire a system
> administrator who may have had access to private keys. Normally in that
> situation you generate new keys, but with HPKP you are stuck keeping the
> old keys active until the new keys have had their pins in the header
> longer than the TTL.
> 

This issue can be solved by using sort life spans for certificates/keys
like lets encrypt does. At least it reduces the drawbacks


> Why people like HPKP so much is a real mystery to me.
> 

Because HPKP recreates some level of trust in a (almost) compleately
broken and highly flawed system?
With HPKP mitm attacks by skilled adversaries is almost impossible while
without it mitm is a piece of cake, especially for government agencies.
It does a great deal for the trust of the certificate system.

> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20161129/7cffdd4d/attachment.sig>


More information about the Ach mailing list