Use certificates that specify OCSP Must-Staple

The Qualys SSL Server Test shows that haveibeenpwned.com uses certificates that do not specify OCSP Must-Staple. When you replace these certificates near their expiry date, please get certificates that specify OCSP Must-Staple. Scott Helme has a good article on why OCSP Must-Staple is important.

https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com
https://scotthelme.co.uk/ocsp-must-staple/

1 vote

Kenneth Barber shared this idea · Sep 25, 2019 · Report… · Admin →

declined ·

AdminTroy Hunt (CEO / Founder, Have I Been Pwned) responded · Sep 25, 2019

TLS termination is done at Cloudflare and this is not a configurable attribute. It poses a minor risk hence the A+ SSL Labs rating HIBP receives.

An error occurred while saving the comment

AdminTroy Hunt (CEO / Founder, Have I Been Pwned) commented · September 25, 2019 4:59 AM · Report

That's correct, not without paying a premium. Besides, I've no reason to want to do that.

Submitting...
Kenneth Barber commented · September 25, 2019 4:48 AM · Report

You can't choose the certificates that your website uses?

Submitting...

I suggest you ...

Use certificates that specify OCSP Must-Staple

Feedback

General

Feedback and Knowledge Base

Searching…

Give feedback

Have I Been Pwned

Use certificates that specify OCSP Must-Staple

We're glad you're here

We're glad you're here

We're glad you're here

General

Categories

Searching…

Give feedback

Have I Been Pwned