|
|
|
|
|
|
by Klathmon
3073 days ago
|
|
|
HSTS is not deprecated, HPKP is. HSTS is what tells the browser "this website MUST be served over TLS". HPKP is what tells the browser "this website must be served over TLS with this exact key". HPKP is being deprecated due to the large "footgun" it creates for websites, and the difficulty at actually managing it. It's being replaced by "Expect-CT" which is a much easier and safer way of getting a similar result. |
|
|
Expect-CT is very different, I'm not sure "similar result" is the right phrase. HPKP lets you pin to any set of keys, a reasonable choice might be your current key, a spare key that your DevOps have ready to go, and one more that's printed out on a piece of paper in the company safe labelled "important: Web site private key, never lose this".
Expect-CT is like Python's from future import, in the future we expect the Web PKI to use Certificate Transparency logging policy to ensure oversight over all CAs. Expect-CT lets you demand enforcement of such policy today, to the extent that's possible. Today policy is still in a state of flux, so enforcing it might not do what you expect, whereas HPKP was very predictable. On the other hand, it's definitely not subject to hostage taking, and it's probably less susceptible to footguns, so that's nice. And if the future does come to pass as expected it's future proof, since such a policy will become de facto the normal behaviour of common user agents.
[Edited to make more sense]