[Tor2web-talk] whom do I thank for adding key-pinning for our SSL in Chrome?
Tom Ritter
tom at ritter.vg
Wed Oct 15 15:47:25 CEST 2014
On 15 October 2014 06:06, Giovanni Pellerano
<giovanni.pellerano at evilaliv3.org> wrote:
> i don't remember. think that hellas made the request so far :)
>
> by the way it's not so good at all as we are now not able easily to
> change the SSL certificate after the heart bleed attack. :(
Key Pinning should not be implemented unless you have a robust backup
strategy - the draft mandates at least two pins: a Deployed and a
Backup. The backup is meant to be kept off a production server
somewhere and if necessary, signed by a CA, and rolled in.
I would recommend more than one backup. If it was my server, I would
make 2 backups: one I keep myself somewhere, and one I PGP to myself,
send to a friend, and instruct them not to send it to me unless I talk
to them on the phone or in person. That way they can't decrypt it,
and if someone compromises my email/PGP key, they can't get the
ciphertext from my friend.
-tom
More information about the Tor2web-talk
mailing list