Hacker News new | past | comments | ask | show | jobs | submit login

These HPKP instructions are rather dangerous (as in: more dangerous than they have to be).

The hash is for the ISRG root certificate, which is not widely trusted yet. While an ISRG-signed intermediate certificate is available, all clients currently default to the IdenTrust-signed intermediate, and even if you decide to use the other intermediate instead (or both, which most browsers can handle), that doesn't guarantee that browser build a trust path through that intermediate - it might have the other one cached from a different site. In other words, the second pin would almost never be satisfied, which means you're screwed once your private key is compromised or changes. Screwed as in your domain is bricked for up to 30 days with this max-age setting.

A slightly better approach would be to pin to both the ISRG and the IdenTrust root[1], plus your private key and a couple of backup keys that you keep offline. One or two backup pins to other CAs couldn't hurt either. Oh, and best run with Report-Only for a while.

[1]: https://www.identrust.com/certificates/trustid/root-download...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact