Tag: HPKP

Total 25 Posts

I'm giving up on HPKP

HTTP Public Key Pinning is a very powerful standard that allows a host to instruct a browser to only accept certain public keys when communicating with it for a given period of time. Whilst HPKP can offer a lot of protection, it can also cause a lot of harm too.…

Continue Reading

Getting started with Let's Encrypt!

Let's Encrypt, the brand new and free Certificate Authority (CA), is now in public beta and I've just switched over to start using their certificates along with auto-renewal. No more re-issuing every year, that's right, it's all auto-magic! Let's Encrypt! There are many attractions to using Let's Encrypt (LE) but…

Continue Reading

Guidance on setting up HPKP

Having recently released my HPKP toolset, I thought I'd give some guidance on the various ways you can setup HPKP and the benefits and drawbacks of each. HTTP Public Key Pinning If you aren't familiar with HPKP then you should start by reading my introductory blog, HPKP: HTTP Public Key…

Continue Reading

The HPKP toolset!

HPKP is an incredibly powerful response header that allows you to whitelist the fingerprints of specific cryptographic identities. This offers you protection against a rogue Certificate Authority issuing a certificate for your site. My new HPKP toolset will make implementing and testing your HPKP policy much easier! HTTP Public Key…

Continue Reading

Demonstrating HPKP validation failures

I have a couple of subdomains on scotthelme.co.uk to show how good a TLS config can be and how bad a TLS config can be and still not attract any warnings in the browser. I'm now adding a third subdomain to demonstrate what happens when your HPKP policy…

Continue Reading