Don’t Pin To A Single CA

If you do certificate pinning, either via HPKP, or in your mobile app, or your IoT device, or your desktop software, or anywhere… do not pin solely to a single certificate, whether it’s a leaf certificate, intermediate or root certificate, and do not pin solely to certificates from a single CA. This is the height of self-imposed Single Point of Failure foolishness, and has the potential to bite you in the ass. If your CA goes away or becomes untrusted and it causes you problems, no-one will be sympathetic.

This Has Been A Public Service Announcement.

2 thoughts on “Don’t Pin To A Single CA

  1. Are there any plans to provide an alternative to Let’s Encrypt or is this more intended as an “If you can’t justify paying for a cert, don’t use HPKP” warning?

    • You don’t need to pay for a cert. Just pin to Let’s Encrypt, and also another CA you are pretty darn confident will be able to sell you a cert quickly if you need one in an emergency. God willing, that day never comes, but if it does, just go and pay for one at that point.

      But also yes, if the cost of a backup cert is beyond you, you are probably not running the sort of site which is in HPKP’s target demographic!

      It’s not up to Mozilla to “provide an alternative to Let’s Encrypt” – it’s up to the market. And I hope that where LE has gone, other organizations will follow. That normally happens when the price of something drops; others in the market have to also lower prices to compete.

Leave a Reply

Your email address will not be published. Required fields are marked *