On 13 Sep 2011, at 21:35, Chris Palmer wrote: > <snip> > sites; small sites may have to choose no pinning or potentially > bricking their site (up to the maxAge window). This is not worse than > the status quo."""
What about sites which don't currently use https at all? The DNS records for theregister.co.uk were redirected the other week. An attacker who could do that could redirect to https, then set a very long max-age pin. At that point, they'd be dependent on the browser vendor unpinning affected users, right? David
_______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
