HPKP (HTTP Public Key Pinning) 常見的錯誤

Netcraft 因為有一套系統在觀察整個 internet 的架構,有時後會整理出一些有趣的東西,像是這次整理出來的 HPKP,就找出很多設定上的錯誤:「HTTP Public Key Pinning: You’re doing it wrong!」。

抓了一下列出來哪些:

  • Zero max-age:這個 XDDD
  • Wrong pin directives:沒寫 pin-sha256,包括寫成 pin-sha512 (RFC 不支援)、pin-sha1 (RFC 也是不支援)、pin-sha (RFC 還是不支援)、pin-sha245 (按歪了 XDDD)、ping-sha256 (XDDD)。
  • Only one pinned public key:HPKP 規定要有兩個 pinned public key。
  • No pins at all:因為 typo 而導致失效,像是忘記用雙引號包起來 (double quote,也就是「"」)。
  • At least two pins, but no backup pins:應該要是兩個完全獨立的 CA。
  • Setting HPKP policies over HTTP:這個會被直接忽略。
  • Not quite got round to it yet...:看到「Public-Key-Pins: TODO」也頗不賴 XDDD
  • Using HPKP headers to broadcast skepticism:跟上面那個有異曲同工的感覺 XDDD Public-Key-Pins: This is like the most useless header I have ever seen. Preventing MITM, c'mon, whoever can't trust his own network shouldn't enter sensitive data anywhere.
  • Violation reports that will never be received:有問題時的 report 送到有問題的 domain 上,於是就送不出去了 XD

One thought on “HPKP (HTTP Public Key Pinning) 常見的錯誤”

Leave a Reply

Your email address will not be published. Required fields are marked *