Analysing HSTS and HPKP implementation in both browsers and servers
HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP) are two protocols aimed to enforce HTTPS connections and allow certificate pinning over HTTP. The combination of these recent protocols improves and strengthens HTTPS security in general, adding an additional layer of trust and...
Saved in:
Published in | IET information security Vol. 12; no. 4; pp. 275 - 284 |
---|---|
Main Authors | , |
Format | Journal Article |
Language | English |
Published |
The Institution of Engineering and Technology
01.07.2018
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP) are two protocols aimed to enforce HTTPS connections and allow certificate pinning over HTTP. The combination of these recent protocols improves and strengthens HTTPS security in general, adding an additional layer of trust and verification. In addition, they help ensure that the connection is always ciphered and correctly authenticated. However, during the process of adoption and implementation of any protocol that is not yet completely settled, the possibility of introducing new weaknesses, opportunities or attack scenarios arises. Even when these protocols are implemented, bad practices prevent them from actually providing the additional security they are expected to provide. In this study, the authors review not just the quantity but the quality (according to several criteria) of the implementation in both servers and most popular browsers and report on some possible attack scenarios that the authors have discovered. |
---|---|
ISSN: | 1751-8709 1751-8717 1751-8717 |
DOI: | 10.1049/iet-ifs.2017.0030 |