Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


SSL - HSTS Preloading & Public Key Spinning
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

SSL - HSTS Preloading & Public Key Spinning

Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

Hi,

Just get to know about HSTS Preloading. I've already done what the Preloading Rules require. And Submitted through https://hstspreload.appspot.com/ but, it seems One of My Websites only preloads in Google Chrome, Not in IE, Firefox, Edge, Tor.

Again, I did some research on Public Key Spinning & it seems I have to add the Pin (SS Cert's One) in Apache Config. However, each SSL is assigned an unique PIN. I'm using cPanel, how can I add so many PIN's in My Apache Config ?? Interesting fact is, If I add PIN of Any Certificate in SSL Chain, it works ! Then, is there any way to get all the CA's Root Certificates PIN ??

Reference: https://www.ssllabs.com/ssltest/analyze.html?d=rcpcbd.com

Thanks !

Comments

  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    @Raymii Can you shed some light on this topic ??

  • perennateperennate Member, Host Rep
    edited January 2016

    When did your submission get added to the list? It won't be propogated until each browser pushes the next update of their own lists.

  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    @perennate said:
    When did your submission get added to the list? It won't be propogated until each browser pushes the next update of their own lists.

    So, from that Website (https://hstspreload.appspot.com/) The Browsers get the informtion & then update their List ?? I though, there might be some technical problem on My Side that's why it's not been loaded ! Thanks for clearing up the point.

  • Public Key Pinning please (HPKP). Actually the site says it can take weeks to get listed everywhere. So all you can do is way.

  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    @Hidden_Refuge said:
    Public Key Pinning please (HPKP). Actually the site says it can take weeks to get listed everywhere. So all you can do is way.

    That HSTS Preloading. What about HPKP ? What's the rule to PIN the Certs ??

  • HPKP (HTTP Public Key Pinning) has no list. It has no relation to HSTS. HSTS tells the client to always use HTTPS connection on all domains (including sub domains) of domain.com. HPKP does not contribute anything to this HSTS list.

    HPKP is used to prevent MITM attacks with different SSL certificates. The HPKP header includes the SHA256 hash values of all used certificates and sends these to the client. Now if the certificate hash changes because of a MITM attack with a different certificate for the same domain your browser will not open the site because the hash values it received via HPKP do not match and you will get a security warning about possible tampering of your connection to domain.com.

    https://developer.mozilla.org/en/docs/Web/Security/Public_Key_Pinning

Sign In or Register to comment.