|
|
|
|
|
|
by oarsinsync
3695 days ago
|
|
|
> So do like Github does (did?)[0], and make the pins valid for 5 minutes. That kinda defeats the point of HSTS. If the key is changing regularly, it makes it easy for an attacker to just temporarily prevent access to the site for long enough for the pin to timeout, and then present their own certificates and keys. |
|
|