[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Wget-dev] wget2 | Deprecate HPKP, and support Expect-CT (#454)
From: |
Ander Juaristi |
Subject: |
[Wget-dev] wget2 | Deprecate HPKP, and support Expect-CT (#454) |
Date: |
Sun, 14 Jul 2019 19:29:28 +0000 |
Ander Juaristi created an issue:
Google deprecated HPKP in Chrome 67. There are several reasons behind this,
and the main one seems to be HPKP's very low tolerance to mistakes. A
misconfiguration in HPKP can be fatal: may render the target website
effectively inaccessible for a long time (until the pins expire). This is
probably why most sites haven't adopted it. In late 2017, only 375 of the Alexa
Top 1 Million sites deployed HPKP.
The proposed alternative is Certificate Transparency. The idea is that CAs log
every new certificate they issue to a distributed public log. This log uses
Merkle trees to organize the hashes of the certificates, and it is very
efficient to query.
Then, instead of pinning keys, web servers send a `Expect-CT` HTTP header. This
header tells the UA it should check whether the server's certificate has been
appended to the CT log.
This is intended to provide the same security guarantees as HPKP, but removes a
heavy burden from web site administrators. Their CA will typically append the
certificates to the CT log whenever they are renewed.
https://www.certificate-transparency.org/
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ
https://httpwg.org/http-extensions/expect-ct.html#response-header-field-syntax
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnuwget/wget2/issues/454
You're receiving this email because of your account on gitlab.com.
- [Wget-dev] wget2 | Deprecate HPKP, and support Expect-CT (#454),
Ander Juaristi <=