Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

SSL - HSTS Preloading & Public Key Spinning
New on LowEndTalk? Please Register and read our Community Rules.

SSL - HSTS Preloading & Public Key Spinning

Mahfuz_SS_EHLMahfuz_SS_EHL Member, Provider

Hi,

Just get to know about HSTS Preloading. I've already done what the Preloading Rules require. And Submitted through https://hstspreload.appspot.com/ but, it seems One of My Websites only preloads in Google Chrome, Not in IE, Firefox, Edge, Tor.

Again, I did some research on Public Key Spinning & it seems I have to add the Pin (SS Cert's One) in Apache Config. However, each SSL is assigned an unique PIN. I'm using cPanel, how can I add so many PIN's in My Apache Config ?? Interesting fact is, If I add PIN of Any Certificate in SSL Chain, it works ! Then, is there any way to get all the CA's Root Certificates PIN ??

Reference: https://www.ssllabs.com/ssltest/analyze.html?d=rcpcbd.com

Thanks !

AlphaSSL Revocation Issue is being investigated.

Comments

  • Mahfuz_SS_EHLMahfuz_SS_EHL Member, Provider

    @Raymii Can you shed some light on this topic ??

    AlphaSSL Revocation Issue is being investigated.

  • perennateperennate Member, Provider
    edited January 2016

    When did your submission get added to the list? It won't be propogated until each browser pushes the next update of their own lists.

  • Mahfuz_SS_EHLMahfuz_SS_EHL Member, Provider

    @perennate said:
    When did your submission get added to the list? It won't be propogated until each browser pushes the next update of their own lists.

    So, from that Website (https://hstspreload.appspot.com/) The Browsers get the informtion & then update their List ?? I though, there might be some technical problem on My Side that's why it's not been loaded ! Thanks for clearing up the point.

    AlphaSSL Revocation Issue is being investigated.

  • Public Key Pinning please (HPKP). Actually the site says it can take weeks to get listed everywhere. So all you can do is way.

    I'm on vacation in Belize.

  • Mahfuz_SS_EHLMahfuz_SS_EHL Member, Provider

    @Hidden_Refuge said:
    Public Key Pinning please (HPKP). Actually the site says it can take weeks to get listed everywhere. So all you can do is way.

    That HSTS Preloading. What about HPKP ? What's the rule to PIN the Certs ??

    AlphaSSL Revocation Issue is being investigated.

  • HPKP (HTTP Public Key Pinning) has no list. It has no relation to HSTS. HSTS tells the client to always use HTTPS connection on all domains (including sub domains) of domain.com. HPKP does not contribute anything to this HSTS list.

    HPKP is used to prevent MITM attacks with different SSL certificates. The HPKP header includes the SHA256 hash values of all used certificates and sends these to the client. Now if the certificate hash changes because of a MITM attack with a different certificate for the same domain your browser will not open the site because the hash values it received via HPKP do not match and you will get a security warning about possible tampering of your connection to domain.com.

    https://developer.mozilla.org/en/docs/Web/Security/Public_Key_Pinning

    I'm on vacation in Belize.

Sign In or Register to comment.