Implementation State of HSTS and HPKP in Both Browsers and Servers

  • Sergio de los Santos
  • Carmen Torrano
  • Yaiza Rubio
  • Félix Brezo
Conference paper

DOI: 10.1007/978-3-319-48965-0_12

Volume 10052 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
de los Santos S., Torrano C., Rubio Y., Brezo F. (2016) Implementation State of HSTS and HPKP in Both Browsers and Servers. In: Foresti S., Persiano G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science, vol 10052. Springer, Cham

Abstract

HSTS and HPKP are relatively recent protocols aimed to enforce HTTPS connections and allow certificate pinning over HTTP. The combination of these protocols improves and strengthens HTTPS security in general, adding an additional layer of trust and verification, as well as ensuring as far as possible that the connection is always secure. However, the adoption and implementation of any protocol that is not yet completely settled, usually involves the possibility of introducing new weaknesses, opportunities or attack scenarios. Even when these protocols are implemented, bad practices prevent them from actually providing the additional security they are expected to provide. In this document, we have studied the quantity and the quality of the implementation both in servers and in most popular browsers and discovered some possible attack scenarios.

Keywords

Certificates HPKP HSTS Web browsing Privacy 

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Sergio de los Santos
    • 1
  • Carmen Torrano
    • 1
  • Yaiza Rubio
    • 1
  • Félix Brezo
    • 1
  1. 1.Telefonica Digital, Ronda de la ComunicaciónMadridSpain