Re: HSTS Misuse

> On 23 May 2016, at 1:37 PM, Philipp Junghannß <> wrote:
> also lets not forget that what will happen if we have an obnoxiouslyy long HSTS and the domain gets sold? have fun eating that one.
> obviously the issue gets even better with HPKP. for HSTS you can can get around with letsencrypt and ANY other trusted certs but HPKP pins specific keys, in other words when for example the previous server/owner or whoever has pinned some EV CAs and the next owner is an individual, that person can forget it because (for some stupid reason) individuals cant get EV certs.

At least for HPKP you cannot set obnoxiously long lifetimes, as the RFC recommends limiting max-age to ~60 days.


Received on Tuesday, 24 May 2016 13:11:23 UTC