Hacker News new | past | comments | ask | show | jobs | submit login

Moves like this intrigue me.

On the one hand, I support creating new platforms with security built-in by default, but on the flip side, the Chrome team just axed HPKP without even so much as bothering to try to refine it to mitigate the footguns.

I don't understand how the web-facing security decisions at Google are made. :/




There are motivating reasons for that[0]. The Expect-CT header is its replacement, and is getting picked up by recent versions of Chrome.

[0]: https://scotthelme.co.uk/im-giving-up-on-hpkp/


Yep. I contributed rather substantially to one of those reasons with a talk on abuse cases for hpkp at defcon two years back.

I'm still disappointed. I don't feel expect-ct effectively covers the same use cases.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: