Skip to main content
Springer Nature Link
Log in

Implementation State of HSTS and HPKP in Both Browsers and Servers

  • Conference paper
  • First Online:
Cryptology and Network Security (CANS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10052))

Included in the following conference series:

  • 2379 Accesses

Abstract

HSTS and HPKP are relatively recent protocols aimed to enforce HTTPS connections and allow certificate pinning over HTTP. The combination of these protocols improves and strengthens HTTPS security in general, adding an additional layer of trust and verification, as well as ensuring as far as possible that the connection is always secure. However, the adoption and implementation of any protocol that is not yet completely settled, usually involves the possibility of introducing new weaknesses, opportunities or attack scenarios. Even when these protocols are implemented, bad practices prevent them from actually providing the additional security they are expected to provide. In this document, we have studied the quantity and the quality of the implementation both in servers and in most popular browsers and discovered some possible attack scenarios.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Rizzo, J., Duong, T.: BEAST. Ekoparty (2011)

    Google Scholar 

  2. Mller, B., Duong, T., Kotowicz, K.: This POODLE bites: exploiting the SSL 3.0 fallback (2014). https://www.openssl.org/~bodo/ssl-poodle.pdf. REPASAR

  3. Rizzo, J., Duong, T.: The CRIME Attack. Ekoparty (2012)

    Google Scholar 

  4. Codenomicon: The Heartbleed Bug. Ekoparty (2014)

    Google Scholar 

  5. Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: IEEE Symposium on Security and Privacy (2014)

    Google Scholar 

  6. Jia, Y., Chen, Y., Dong, X., Saxena, P., Mao, J., Liang, Z.: Man-in-the-browser-cache: persisting HTTPS attacks via browser cache poisoning. Comput. Secur. 55, 62–80 (2015)

    Article  Google Scholar 

  7. Marlinspike, M.: New Tricks for Defeating SSL in Practice. BlackHat (2009). http://www.thoughtcrime.org/software/sslstrip/

  8. Paul, I.: Firefox Add-on Firesheep Brings Hacking to the Masses. PCWorld (2010)

    Google Scholar 

  9. Mandalia, R.: Security Breach in CA Networks - Comodo, DigiNotar, GlobalSign. \(ISC^2\) Blog (2012). http://blog.isc2.org/isc2_blog/2012/04/test.html

  10. Langley, A.: Further improving digital certificate security. Google Security Blog (2013). https://security.googleblog.com/2013/12/further-improving-digital-certificate.html

  11. Langley, A.: Maintaining digital certificate security. Google Security Blog (2014). https://security.googleblog.com/2014/07/maintaining-digital-certificate-security.html

  12. Hoffman, P.: The DNS-Based Authentication of Named Entities (DANE). Transport Layer Security (TLS) Protocol: TLSA. https://www.rfc-editor.org/rfc/rfc6698.txt

  13. Marlinspike, M., Perrin, T.: Tacks. http://tack.io/draft.html

  14. Loesch, C.: Certificate Patrol. https://addons.mozilla.org/es/firefox/addon/certificate-patrol/

  15. Wendlandt, D., Andersen, D., Perrig, A.: Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing (2008). http://static.usenix.org/event/usenix08/tech/full_papers/wendlandt/wendlandt_html/

  16. Marlinspike, M.: Convergence (2011). http://convergence.io/

  17. Yan: Weird New Tricks for Browser Fingerprinting (2015). https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf

  18. Internet Engineering Task Force (IETF): HTTP Strict Transport Security (HSTS). RFC 6797(2012). https://tools.ietf.org/html/rfc6797

  19. Internet Engineering Task Force (IETF): Public Key Pinning Extension for HTTP. RFC 7469(2015). https://tools.ietf.org/html/rfc7469

  20. Internet Engineering Task Force (IETF): Certificate Transparency (2013). https://tools.ietf.org/html/rfc6962

  21. Garron, L., Bortz, A., Boneh, D.: The State of HSTS Deployment: A Survey and Common Pitfalls (2014)

    Google Scholar 

  22. Kranch, M., Bonneau, J.: Upgrading HTTPS in mid-air: an empirical study of strict transport security and key pinning. In: Network and Distributed System Security Symposium (NDSS) (2015)

    Google Scholar 

  23. Selvi, J.: Bypassing HTTP Strict Transport Security. BlackHat Europe (2014)

    Google Scholar 

  24. IETF: IETF. https://www.ietf.org/

  25. Shodan: Shodan. http://www.shodan.io

  26. Alexa internet Inc: Alexa. http://www.alexa.com/

  27. Deveria, A.: Can I use Strict Transport Security? (2016). http://caniuse.com/#feat=stricttransportsecurity

  28. Monica: Firefox 32 supports Public Key Pinning (2014). http://monica-at-mozilla.blogspot.de/2014/08/firefox-32-supports-public-key-pinning.html

  29. Bugzilla: Bugzilla@Mozilla (2014). https://bugzilla.mozilla.org/show_bug.cgi?id=775370

  30. Mozilla: Mozilla Code (2014). https://dxr.mozilla.org/comm-central/source/mozilla/security/manager/ssl/nsSiteSecurityService.h

  31. ElevenPaths: PinPatro. https://addons.mozilla.org/es/firefox/addon/pinpatrol/

  32. Deveria, A.: Can I Use Public Key Pinning (2015). http://caniuse.com/#feat=publickeypinning

  33. Deveria, A.: Can I use HSTS? (2015). http://caniuse.com/#search=HSTS

  34. Nishimura, M.: Appended period to hostnames can bypass HPKP and HSTS protections. https://www.mozilla.org/en-US/security/advisories/mfsa2015-13/

Download references

Author information

Authors and Affiliations

  1. Telefonica Digital, Ronda de la Comunicación, s/n (Distrito Telefónica), Madrid, Spain

    Sergio de los Santos, Carmen Torrano, Yaiza Rubio & Félix Brezo

Authors
  1. Sergio de los Santos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Carmen Torrano
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yaiza Rubio
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Félix Brezo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sergio de los Santos .

Editor information

Editors and Affiliations

  1. Università degli Studi di Milano, Crema, Italy

    Sara Foresti

  2. Università degli Studi di Salerno, Fisciano, Italy

    Giuseppe Persiano

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

de los Santos, S., Torrano, C., Rubio, Y., Brezo, F. (2016). Implementation State of HSTS and HPKP in Both Browsers and Servers. In: Foresti, S., Persiano, G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science(), vol 10052. Springer, Cham. https://doi.org/10.1007/978-3-319-48965-0_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-48965-0_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-48964-3

  • Online ISBN: 978-3-319-48965-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics