Netcraft 因為有一套系統在觀察整個 internet 的架構,有時後會整理出一些有趣的東西,像是這次整理出來的 HPKP,就找出很多設定上的錯誤:「HTTP Public Key Pinning: You’re doing it wrong!」。
抓了一下列出來哪些:
- Zero max-age:這個 XDDD
- Wrong pin directives:沒寫
pin-sha256
,包括寫成 pin-sha512 (RFC 不支援)、pin-sha1 (RFC 也是不支援)、pin-sha (RFC 還是不支援)、pin-sha245 (按歪了 XDDD)、ping-sha256 (XDDD)。 - Only one pinned public key:HPKP 規定要有兩個 pinned public key。
- No pins at all:因為 typo 而導致失效,像是忘記用雙引號包起來 (double quote,也就是「
"
」)。 - At least two pins, but no backup pins:應該要是兩個完全獨立的 CA。
- Setting HPKP policies over HTTP:這個會被直接忽略。
- Not quite got round to it yet...:看到「
Public-Key-Pins: TODO
」也頗不賴 XDDD - Using HPKP headers to broadcast skepticism:跟上面那個有異曲同工的感覺 XDDD
Public-Key-Pins: This is like the most useless header I have ever seen. Preventing MITM, c'mon, whoever can't trust his own network shouldn't enter sensitive data anywhere.
- Violation reports that will never be received:有問題時的 report 送到有問題的 domain 上,於是就送不出去了 XD
普通的shared host可以配置HPKP嗎?