[Ach] bettercrypto.org certificate has expired today
terje at elde.net
Wed Mar 8 17:26:36 CET 2017
> On 8 Mar 2017, at 16:28, Alexander Wuerstlein <arw at cs.fau.de> wrote:
> However, in my opinion, one would have to be mad to use any HPKP max-age
> longer than maybe a week with letsencrypt.
Well, that really depends on what you pin, and if you swap the key.
If you keep the key, or PIN Let's Encrypts intermediate, it's not that much different from the risks always associated with HPKP.
For now, my recommendation to sites new to HPKP is to pin wide, such as both the Let's Encrypt intermediate or root, and two other CAs that you might go to in case of trouble, as well as the key itself and an offline backup key.
That'll get you out of most trouble. I think the risk of foot-gunning with HPKP is a lot longer than someone targeting you with a fake cert from one of those CAs, at least for most sites.
But yeah, HPKP definitively needs to be on the list of things to consider.
More information about the Ach