[Ach] bettercrypto.org cert blocked in chrome 56

Alexander Wuerstlein arw at cs.fau.de
Wed Nov 30 00:33:08 CET 2016

On 2016-11-29T21:42, sivmu <sivmu at web.de> wrote:
> Am 29.11.2016 um 11:46 schrieb Alice Wonder:
> With HPKP there is no such attack surface.

Whereas HPKP has the nice new attack surface of "now I've -unbeknownst
to you- got access and secretly fed your users my key. Now I've deleted
it form the box. Pay me or kill your domain". 

Both approaches are deeply flawed and at best worthy to be used in some
kind of trustworthiness scoring system. Like "oh, DANE, HPKP and a
regular CA signature, you'll get the green bar". But I guess that might
never happen for other reasons.


Alexander Wuerstlein.

More information about the Ach mailing list