Hacker News new | past | comments | ask | show | jobs | submit login

What are your thoughts on HSTS for a TLD when a CA can then revoke a site’s cert, preventing access entirely (See: Comodo and Sci-Hub).



You can always get a new SSL certificate from someone else quite easily (e.g. Let's Encrypt). So that's a temporary problem at worst.


Finally, "there are several dozen CAs and some are really sketchy" becomes a strength, rather than a weakness!


Sketchy CAs that issue certificates to people that don't actually own the domains in question tend to get nuked from the chain of trust very quickly.


Historically, I'd disagree with you, although it is improving with Certificate Transparency monitoring and alerting.


Fair enough, but it's getting better, especially thanks to CT as you point out.


As long as the CA is in a jurisdiction that can require revoking access, it becomes an attack vector if HSTS is enabled and you’re at the mercy of preloaded root CAs.


There are much worse attack vectors if the entire connection is unencrypted, though.


There are many preloaded root CAs. Are you saying you're worried that every single one of them will simultaneously be required to revoke your certificates?




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: