Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HPKP - HTTP Public Key Pinning Extension #26

Open
AnBuKu opened this issue Sep 23, 2015 · 3 comments
Open

HPKP - HTTP Public Key Pinning Extension #26

AnBuKu opened this issue Sep 23, 2015 · 3 comments

Comments

@AnBuKu
Copy link

AnBuKu commented Sep 23, 2015

Based on IRC chat with drybjed I add this request here, and not to ansible-nginx.

HPKP is a trust on first use security mechanism which protects HTTPS websites from impersonation using fraudulent certificates issued by compromised certificate authorities.

Read more about in links below.

Links:
https://tools.ietf.org/html/rfc7469
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html
https://github.com/debops/ansible-nginx
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

@drybjed
Copy link
Member

drybjed commented Sep 23, 2015

Just to clarify, HPKP needs a certificate file with full chain of intermediate certificates and root CA certificate included. This is done best in debops.pki role which currently handles for example combined key + certificate for certain applications. I'll add support for it with the role overhaul.

@ypid
Copy link
Member

ypid commented Sep 19, 2016

https://bettercrypto.org also has a nice summary how this can be done. Also, no need to fear this feature. There is a Report-Only option which we could maybe even make the default (at least for LE as it is unlikely that people would use another CA if they use LE), not sure yet if https://report-uri.io/ supports that or if there are other services like this. So there is no excuse for not enabling this 😉
Edit: https://report-uri.io/ requires registration so it would be difficult to enable Report-Only by default unfortunately.

The requirements that @drybjed mentioned have been implemented by @drybjed in the meantime.

@AnBuKu
Copy link
Author

AnBuKu commented Jan 6, 2017

For the record: OWASP about Certificate and Public Key Pinning and Transport Layer Protection Cheat Sheet with quite useful, practical/hands-on hints and checklists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants