[Ach] bettercrypto.org certificate has expired today

Hanno Böck hanno at hboeck.de
Wed Mar 8 16:32:52 CET 2017

On Wed, 8 Mar 2017 16:28:35 +0100
Alexander Wuerstlein <arw at cs.fau.de> wrote:

> There is another factor if one is bold enough to use it: The max-age
> of HPKP-Pins and administrative change time and TTL of TLSA DNS
> entries. Especially HPKP max-age must be _added_ to the
> aforementioned times if there is a chance that one would change the
> keypair when obtaining a new certificate. Recommendations for max-age
> are in the order of a month or even more.

This is one of the reasons why these days I tend to advise against HPKP
with the exception of high risk sites. There's just far too much that
can go wrong with HPKP.

My recommendation: For most people don't use HPKP. If you feel you have
a high risk of being a target of state-level adversaries you can
consider HPKP, but you should know really well what the various caveats
are and have a good plan for everything that can go wrong. And before
you use HPKP there are various other less risky things you can do, e.g.
monitoring CT logs.

Hanno Böck

mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

More information about the Ach mailing list