Highest Voted 'hpkp' Questions - IT Security Stack Exchange

6

votes

1 answer

HPKP for self-signed certificates

On https://dev.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters- , and https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning in the first yellow box, it says that…

tls certificates hpkp

asked May 09 '17 at 12:53

peter

95
7

5

votes

1 answer

Can HPKP be used to track users?

There is already a large flora of "supercookies" and browser fingerprinting methods out there. I am wondering whether HPKP provides yet another method to track users? A server could send an extra backup key that is never intended to be used as a…

http cookies user-tracking fingerprinting hpkp

asked Jun 08 '16 at 10:56

Anders

64,406
24
178
215

4

votes

2 answers

What are the disadvantages of HPKP?

I have noticed that many web sites do not implement HPKP even though it is simple to implement. Is there any downside to it?

tls hpkp

asked Apr 10 '17 at 06:04

Lio Xu

51
4

4

votes

3 answers

Is SSL Interception possible without disabling Public Key Pinning on the client side?

I'm currently setting up a pfSense firewall in my lab. It supports SSL Inception which works pretty well for most sites. But there are some sites which use HTTP Public Key Pinning to prevent MitM attacks and this is a real pain because the systems…

tls network squid tls-intercept hpkp

asked Jul 05 '16 at 21:36

davidb

4,285
3
19
31

3

votes

1 answer

can HPKP certificate pinning disable DPI inspection on firewall?

Is it possible that Firefox and Chrome disable pin validation for users who imported custom root certificates all pinning violations are ignored. What is impact of that? Will browser report any warning?

tls web-browser hpkp dpi

asked Sep 28 '17 at 05:41

user3654268

31
1

3

votes

0 answers

What is the maximum amount of certificates that can be pinned with HPKP?

We are currently looking into enabling HTTP Public Key Pinning on our website. The problem we are currently facing is that our certificates last only 90 days, but we have devised the following steps to resolve this issue: We will initially have…

certificates hpkp

asked Jan 21 '17 at 20:30

Jenessa

1,086
1
8
13

3

votes

1 answer

Doesn't HPKP become useless after the max age has expired?

The basic idea behind HPKP was to protect your users from MITM attacks if an intermediate CA accidentally issues fraudulent certificate for your domain to the attacker. You pin either keys or hash to your…

man-in-the-middle hpkp

asked Nov 17 '16 at 13:03

anon

3

votes

1 answer

What are the columns in Firefox's SiteSecurityServiceState.txt?

Firefox's SiteSecurityServiceState.txt file (located in the profile folder) records the HSTS times and HPKP expiry times and pins. There are multiple columns, and I don't know what they represent: An example HSTS entry: api.github.com:HSTS 74 17087…

firefox hsts hpkp

asked Oct 13 '16 at 18:25

Geremia

1,636
3
19
33

2

votes

1 answer

Whats the difference between certificate pinning and a truststore in Android/iOS?

I‘m facing the implementation of certificate pinning and often get asked why if there are trust stores within Android, iOS does not have such a concept. So I’m required to build the standard HPKP and Pin two public keys. I have read the post What…

tls hpkp

asked Feb 26 '18 at 22:36

BennX

123
1
4

2

votes

2 answers

What is HPKP and how does it work in case of websites

I was looking at HTTP Strict Transport Security (HSTS) implementation in firefox. Firefox stores this data for sites in a file called SiteSecurityServiceState.txt I see entries in it like - support.mozilla.org:HPKP 3 17242 …

tls firefox hsts hpkp

asked Mar 17 '17 at 12:29

Aniket Thakur

945
1
8
11

2

votes

1 answer

Are there any mechanisms to preload HTTP Public Key Pinning

For HTTP Strict Transport Security (HSTS), there is a preload list, that site owners can submit their site to a list of domain names that the browser vendors ship their browsers with. Are there any mechanisms similar to HSTS Preloading, that the…

tls hsts hpkp

asked Nov 24 '16 at 20:16

AKS

714
5
13

1

vote

2 answers

Public Key Pinning and subdomains

Shortly I have intend to install new webserver and I'd like to secure users a little bit more. I already have domain, (virtual) server and everything else that matters when configuring a server. Basically this one will be used as webserver for…

tls linux webserver rsa hpkp

asked Sep 01 '15 at 20:04

user1257255

113
3

1

vote

2 answers

Is DANE the DNS-variant of HTTP Public Key Pinning (HPKP)?

I’m trying to understand DANE and TLSA records more accurately. Is it fair to call DANE the DNS-variant of (or at least a very similar technique to) HTTP Public Key Pinning (HPKP)? Because with HPKP a SSL certificate can be pinned using a HTTP…

tls dns certificate-pinning hpkp dane

asked Feb 04 '18 at 23:05

Bob Ortiz

6,234
8
43
90

1

vote

1 answer

Is the CSR and public key the exact same thing?

Is the CSR and public key the exact same thing? I require the CSR - can I create a Public key from .cer and use it as CSR? I need the CSR for HPKP backup key generation. Is OpenSSL the only way to do this (Windows Machine)

public-key-infrastructure iis csr hpkp

asked Apr 06 '17 at 20:35

Peter PitLock

135
5

1

vote

0 answers

Is it possible to go through proxy while PK Pinning is enabled?

My JavaFX client application and server has PK Pinning enabled. However, some clients ask us to add proxy support to the client app because the direct access in their office is closed and all the traffic goes through a proxy. Is it possible to use…

proxy certificate-pinning hpkp

asked Apr 05 '17 at 10:21

Evgeniy Mishustin

121
6

Questions tagged [hpkp]