Implementation State of HSTS and HPKP in Both Browsers and Servers

  • Sergio de los Santos
  • Carmen Torrano
  • Yaiza Rubio
  • Félix Brezo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10052)


HSTS and HPKP are relatively recent protocols aimed to enforce HTTPS connections and allow certificate pinning over HTTP. The combination of these protocols improves and strengthens HTTPS security in general, adding an additional layer of trust and verification, as well as ensuring as far as possible that the connection is always secure. However, the adoption and implementation of any protocol that is not yet completely settled, usually involves the possibility of introducing new weaknesses, opportunities or attack scenarios. Even when these protocols are implemented, bad practices prevent them from actually providing the additional security they are expected to provide. In this document, we have studied the quantity and the quality of the implementation both in servers and in most popular browsers and discovered some possible attack scenarios.


Certificates HPKP HSTS Web browsing Privacy 


  1. 1.
    Rizzo, J., Duong, T.: BEAST. Ekoparty (2011)Google Scholar
  2. 2.
    Mller, B., Duong, T., Kotowicz, K.: This POODLE bites: exploiting the SSL 3.0 fallback (2014). REPASAR
  3. 3.
    Rizzo, J., Duong, T.: The CRIME Attack. Ekoparty (2012)Google Scholar
  4. 4.
    Codenomicon: The Heartbleed Bug. Ekoparty (2014)Google Scholar
  5. 5.
    Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: IEEE Symposium on Security and Privacy (2014)Google Scholar
  6. 6.
    Jia, Y., Chen, Y., Dong, X., Saxena, P., Mao, J., Liang, Z.: Man-in-the-browser-cache: persisting HTTPS attacks via browser cache poisoning. Comput. Secur. 55, 62–80 (2015)CrossRefGoogle Scholar
  7. 7.
    Marlinspike, M.: New Tricks for Defeating SSL in Practice. BlackHat (2009).
  8. 8.
    Paul, I.: Firefox Add-on Firesheep Brings Hacking to the Masses. PCWorld (2010)Google Scholar
  9. 9.
    Mandalia, R.: Security Breach in CA Networks - Comodo, DigiNotar, GlobalSign. \(ISC^2\) Blog (2012).
  10. 10.
    Langley, A.: Further improving digital certificate security. Google Security Blog (2013).
  11. 11.
    Langley, A.: Maintaining digital certificate security. Google Security Blog (2014).
  12. 12.
    Hoffman, P.: The DNS-Based Authentication of Named Entities (DANE). Transport Layer Security (TLS) Protocol: TLSA.
  13. 13.
    Marlinspike, M., Perrin, T.: Tacks.
  14. 14.
  15. 15.
    Wendlandt, D., Andersen, D., Perrig, A.: Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing (2008).
  16. 16.
    Marlinspike, M.: Convergence (2011).
  17. 17.
    Yan: Weird New Tricks for Browser Fingerprinting (2015).
  18. 18.
    Internet Engineering Task Force (IETF): HTTP Strict Transport Security (HSTS). RFC 6797(2012).
  19. 19.
    Internet Engineering Task Force (IETF): Public Key Pinning Extension for HTTP. RFC 7469(2015).
  20. 20.
    Internet Engineering Task Force (IETF): Certificate Transparency (2013).
  21. 21.
    Garron, L., Bortz, A., Boneh, D.: The State of HSTS Deployment: A Survey and Common Pitfalls (2014)Google Scholar
  22. 22.
    Kranch, M., Bonneau, J.: Upgrading HTTPS in mid-air: an empirical study of strict transport security and key pinning. In: Network and Distributed System Security Symposium (NDSS) (2015)Google Scholar
  23. 23.
    Selvi, J.: Bypassing HTTP Strict Transport Security. BlackHat Europe (2014)Google Scholar
  24. 24.
  25. 25.
    Shodan: Shodan.
  26. 26.
    Alexa internet Inc: Alexa.
  27. 27.
    Deveria, A.: Can I use Strict Transport Security? (2016).
  28. 28.
  29. 29.
    Bugzilla: Bugzilla@Mozilla (2014).
  30. 30.
  31. 31.
  32. 32.
    Deveria, A.: Can I Use Public Key Pinning (2015).
  33. 33.
    Deveria, A.: Can I use HSTS? (2015).
  34. 34.
    Nishimura, M.: Appended period to hostnames can bypass HPKP and HSTS protections.

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Sergio de los Santos
    • 1
  • Carmen Torrano
    • 1
  • Yaiza Rubio
    • 1
  • Félix Brezo
    • 1
  1. 1.Telefonica Digital, Ronda de la ComunicaciónMadridSpain

Personalised recommendations