It's been 6 months since my last crawl of the Alexa Top 1 Million so it's time to dust off my servers and fire them up again! Here's my latest observations of security on the top 1 million sites on the Web. What I'm looking for I use these crawls…
Tag: HPKP
Total 23 Posts
I've just pushed the next major update to https://report-uri.io and there are some great new features that I'm really excited to be launching! The service has come a long way in the 12 months it's been running and usage has soared. Here is your next batch of new…
I did a scan of the Alexa Top 1 Million back in August 2015 and published the results for everyone to see. Having just completed another scan of the current Alexa Top 1 Million with additional metrics being tracked, I thought I'd compare the results and see how much progress…
Let's Encrypt, the brand new and free Certificate Authority (CA), is now in public beta and I've just switched over to start using their certificates along with auto-renewal. No more re-issuing every year, that's right, it's all auto-magic! Let's Encrypt! There are many attractions to using Let's Encrypt (LE) but…
Having recently released my HPKP toolset, I thought I'd give some guidance on the various ways you can setup HPKP and the benefits and drawbacks of each. HTTP Public Key Pinning If you aren't familiar with HPKP then you should start by reading my introductory blog, HPKP: HTTP Public Key…
HPKP is an incredibly powerful response header that allows you to whitelist the fingerprints of specific cryptographic identities. This offers you protection against a rogue Certificate Authority issuing a certificate for your site. My new HPKP toolset will make implementing and testing your HPKP policy much easier! HTTP Public Key…
With my recent interest in security based HTTP headers like CSP and HPKP following the launch of my new service report-uri.io, I found myself wondering just how many people out there are actually taking advantage of the huge security gains on offer from such simple features. What are HTTP…
I have a couple of subdomains on scotthelme.co.uk to show how good a TLS config can be and how bad a TLS config can be and still not attract any warnings in the browser. I'm now adding a third subdomain to demonstrate what happens when your HPKP policy…
Over the weekend I finalised a major update for https://report-uri.io, my new CSP and HPKP violation reporting service. Designed to make setting up and using your CSP even easier, this update has now been pushed out to the live site. Here are the details. New branding The first…
After writing about both CSP and HPKP, I covered the report-uri directive that allowed a browser to send reports back to the host if their security policy was breached. Whilst this reporting is a great feature, it can be a lot of work to implement, especially on smaller sites. I've…
