|
|
|
|
|
|
by olliej
2785 days ago
|
|
|
HPKP was a bad standard - there’s no way it could be used safely at scale. There are just too many ways to accidentally screw up, and that’s before you start dealing with actual attackers. CT allows you to detect misissuance - theoretically you could have a monitor service that watched all the logs for changes to your domains. Longer term something (no opinion stated on exactly what) needs to be done to rectify the trust model for BGP and DNS |
|
|