undefined | Better HN

0 pointspeterwwillis10y ago0 comments

You don't get to say there is no threat if almost every website today is vulnerable.

First, this is optional software that almost every public server in the world is currently not using. It's like saying just because executable whitelisting exists that downloaded exploit payloads on operating systems is no longer a threat. If nobody uses it, the threat still exists.

In addition to actually implementing it on your server, every single user still has to make a secure initial connection over a trusted network on every device they'll ever use to get to that site.

But not every client even supports HPKP. There's lots of older software which doesn't support it, and IE doesn't support it at all, which by itself would leave 12% of all clients vulnerable.

https://projects.dm.id.lv/Public-Key-Pins_test

https://en.wikipedia.org/wiki/Usage_share_of_web_browsers

0 comments

alwillis10y ago

You don't get to say there is no threat if almost every website today is vulnerable.

I didn't mean that literally the threat has been eliminated due to HPKP; it's yet another tool that can be used.

HPKP isn't software--just additional HTTP headers that pretty much every web server can be configured to send.

In addition to actually implementing it on your server, every single user still has to make a secure initial connection over a trusted network on every device they'll ever use to get to that site.

True; it's even described in the RFC: https://tools.ietf.org/html/rfc7469

Key pinning is a trust-on-first-use (TOFU) mechanism. The first time a UA connects to a host, it lacks the information necessary to perform Pin Validation; UAs can only apply their normal cryptographic identity validation. (In this document, it is assumed that UAs apply X.509 certificate chain validation in accord with [RFC5280].)

j / k navigate · click thread line to collapse