|
|
|
|
|
|
by theandrewbailey
3696 days ago
|
|
|
> Using the same key pair for multiple certificates is necessary for public key pinning, since Let's Encrypt only issues certificates that last 90 days. So do like Github does (did?)[0], and make the pins valid for 5 minutes. [0] looks like they upped it to 60 days? |
|
|
That kinda defeats the point of HSTS. If the key is changing regularly, it makes it easy for an attacker to just temporarily prevent access to the site for long enough for the pin to timeout, and then present their own certificates and keys.