> > the ability for sites with low security requirements to opt out of HPKP. > o... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

pcl on Sept 6, 2016 | parent | context | favorite | on: Is HTTP Public Key Pinning Dead?

> > the ability for sites with low security requirements to opt out of HPKP.

> opt out?! It's off by default.

I think tptacek meant that a site owner should be able to explicitly declare that nobody should be able to pin a key, so that nobody can hijack the site in the future.

nsgi on Sept 6, 2016 | [–]

An opt-in would make more sense, since people using HPKP are those that know the most about it. Just like an opt-out, it would have to be via a different channel than HTTP headers.

jb613 on Sept 6, 2016 | [–]

Fine, but take note that leaves the door open for others to get a cert for your domain.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact