Bocce Ball — Atlanta, GA

New and Improved TLS Certificate

It’s that time of year again: I’ve just updated this blogs TLS certificate. While this isn’t normally enough of a noteworthy event for me to make a post about it, just like the last time I posted, this one is a tiny bit more than just issuing a new certificate. This time around, I’ve changed the signature algorithm to a much stronger PKCS #1 SHA-256 with RSA encryption, and dropped support for IE8 (and possibly other old/stupid browsers) by removing some less secure ciphers from the end of the supported cipher suite. I’ve also added support for HPKP (the extra public key you see pinned is a backup certificate), despite a few concerns that I have with its implementation.

This, coupled with the existing HSTS, and OCSP stapling, should help ensure that this blog remains needlessly secure for another year.

For verifications purposes, the certificate fingerprints now appear on my Gist of keys and fingerprints, and in this tweet. This means that an attacker would have to gain access to my server, my GitHub account, and my Twitter account to impersonate this blog. If the fingerprint doesn’t match what’s here (and on those two pages), don’t trust the cert.

Fingerprints

SHA1:
8E:F9:BE:87:A3:C7:55:53:EF:5D:0D:53:77:5B:07:80:3A:F1:94:ED

SHA-256:
0D:A2:E6:0A:19:F2:A7:81:60:BF:AF:EC:55:57:1F:6A:C3:98:63:83:AE:6F:11:EE:12:F1:C8:7A:99:64:FC:6D

As always, if you have any questions please contact me.