Remix clone Hacker News

I've said it up-thread, but never ever never never pin to anything public. Don't do it. It's bad. You, and even the CA have no control over the certificates and cannot rely on them remaining in any way constant. Don't do it. If you must pin, pin to private CAs you control. Otherwise, don't do it. Seriously. Don't.

▲

toast0 3 days ago | parent | next [-]

There's not really a better option if you need your urls to work with public browsers and also an app you control. You can't use a private CA for those urls, because the public browsers won't accept it; you need to include a public CA in your app so you don't have to rely on the user's device having a reasonable trust store. Including all the CAs you're never going to use is silly, so picking a few makes sense.

	▲	richardwhiuk 3 days ago \| parent [-]
		You don't need both of those things. Give your app a different url.

▲

ori_b 3 days ago | parent | prev | next [-]

Why should I trust a CA that has no control over the certificate chains?

	▲	nickf 3 days ago \| parent [-]
		Because they operate in a regulated, security industry where changes happen - sometimes beyond their control?

▲

einsteinx2 3 days ago | parent | prev [-]

Repeating it doesn’t make it any more true. Cert providers publish their root certs, you pin those root certs, zero problems.

	▲	nickf 3 days ago \| parent \| next [-]
		Then the CA goes away, like Entrust. Huge problems. I speak (sadly) from experience.
	▲	Plasmoid 3 days ago \| parent \| prev [-]
		They rotate those often enough.