[Ach] bettercrypto.org cert blocked in chrome 56

Gunnar Haslinger gh.bettercrypto at hitco.at
Wed Nov 30 22:51:01 CET 2016

Am 30.11.2016 um 21:57 schrieb sivmu:
> when pinning your certificates you can include one whose
> coresponding key is not on the machine but acts as the backup key, maybe
> even offline.

Not "can", its not an option it is mandatory!

The browsers will NOT accept HPKP pinning if you don't add an currently
unused backup key.

Regarding DANE and HTTPS: It's not the Client who checks the
TLSA-Records and verifies the KSK/ZSK Signatures, it's your Nameserver.
Only few people host theyr own Nameserver at home or on theyr smartphone
etc... - usually the Nameserver of your ISP is used - so: just intercept
the last mile and DANE is broken.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20161130/d3a88921/attachment.html>

More information about the Ach mailing list