[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Wget-dev] wget2 | Deprecate HPKP, and support Expect-CT (#454)

From: Ander Juaristi
Subject: [Wget-dev] wget2 | Deprecate HPKP, and support Expect-CT (#454)
Date: Sun, 14 Jul 2019 19:29:28 +0000

Ander Juaristi created an issue:

  Google deprecated HPKP in Chrome 67. There are several reasons behind this, 
and the main one seems to be HPKP's very low tolerance to mistakes. A 
misconfiguration in HPKP can be fatal: may render the target website 
effectively inaccessible for a long time (until the pins expire). This is 
probably why most sites haven't adopted it. In late 2017, only 375 of the Alexa 
Top 1 Million sites deployed HPKP.

The proposed alternative is Certificate Transparency. The idea is that CAs log 
every new certificate they issue to a distributed public log. This log uses 
Merkle trees to organize the hashes of the certificates, and it is very 
efficient to query.

Then, instead of pinning keys, web servers send a `Expect-CT` HTTP header. This 
header tells the UA it should check whether the server's certificate has been 
appended to the CT log.

This is intended to provide the same security guarantees as HPKP, but removes a 
heavy burden from web site administrators. Their CA will typically append the 
certificates to the CT log whenever they are renewed.




Reply to this email directly or view it on GitLab: 
You're receiving this email because of your account on gitlab.com.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]