HTTP Public Key Pinning is a very powerful standard that allows a host to instruct a browser to only accept certain public keys when communicating with it for a given period of time. Whilst HPKP can offer a lot of protection, it can also cause a lot of harm too.…
Tag: HPKP
Total 25 Posts
We have quite a few security features at our disposal to help us better protect our websites and our visitors. I talk about them a lot on my blog and a few of them, mainly security headers, get a lot of coverage. Is it possible to use these security features…
It's been 6 months since my last crawl of the Alexa Top 1 Million so it's time to dust off my servers and fire them up again! Here's my latest observations of security on the top 1 million sites on the Web. What I'm looking for I use these crawls…
I've just pushed the next major update to https://report-uri.io and there are some great new features that I'm really excited to be launching! The service has come a long way in the 12 months it's been running and usage has soared. Here is your next batch of new…
I did a scan of the Alexa Top 1 Million back in August 2015 and published the results for everyone to see. Having just completed another scan of the current Alexa Top 1 Million with additional metrics being tracked, I thought I'd compare the results and see how much progress…
Let's Encrypt, the brand new and free Certificate Authority (CA), is now in public beta and I've just switched over to start using their certificates along with auto-renewal. No more re-issuing every year, that's right, it's all auto-magic! Let's Encrypt! There are many attractions to using Let's Encrypt (LE) but…
Having recently released my HPKP toolset, I thought I'd give some guidance on the various ways you can setup HPKP and the benefits and drawbacks of each. HTTP Public Key Pinning If you aren't familiar with HPKP then you should start by reading my introductory blog, HPKP: HTTP Public Key…
HPKP is an incredibly powerful response header that allows you to whitelist the fingerprints of specific cryptographic identities. This offers you protection against a rogue Certificate Authority issuing a certificate for your site. My new HPKP toolset will make implementing and testing your HPKP policy much easier! HTTP Public Key…
With my recent interest in security based HTTP headers like CSP and HPKP following the launch of my new service report-uri.io, I found myself wondering just how many people out there are actually taking advantage of the huge security gains on offer from such simple features. What are HTTP…
I have a couple of subdomains on scotthelme.co.uk to show how good a TLS config can be and how bad a TLS config can be and still not attract any warnings in the browser. I'm now adding a third subdomain to demonstrate what happens when your HPKP policy…
