undefined | Better HN

0 pointsmike_hearn11y ago0 comments

To give a real example, CryptoCat managed to commit pinning suicide recently. They requested a pin in Chrome and then their CA's intermediate expired, meaning they had to reissue the cert .... but failed, because Chrome rejected the new cert. They had to wait for the next Chrome version to recover and basically had a multi-week outage because of it.

Pinning eliminates CA's by eliminating the agility they provide. Not inherently an awesome deal.

0 comments

skuhn11y ago

You really need at least one alternate (from a different company!), even though that reduces security. 2 is still better than 150. I'm surprised that Google would accept a one hash pin, but I guess they'll let you shoot your own foot off if you want to.

The other side of that is you must actually be able to issue certs from that other CA. If you have to wait for your account to get set up and verified, you've lost.

yuhong11y ago

The problem is they switched to non-EV and they pinned only the EV root.

j / k navigate · click thread line to collapse