Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

People are still ignoring HTTP Public Key Pinning, to their detriment

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

March 24, 2016

Internet company Netcraft has issued what some would describe a stinging rebuke to system administrators the world over for simply ignoring HTTP Public Key Pinning (HPKP), something that can come back and bite them where it hurts.

The process of 'pinning' is a method to defend users against impersonation attacks, in which an attacker tricks a certificate authority to issue a fraudulent certificate for a website.

If the attacker can present a user with a SSL certificate for siteexample.com, they can impersonate the site, opening a path for malfeasance like credential harvesting.

The security issue is that HPKP would only work if system admins apply it at the server level, and they're not, and that's where the problem originates.

“On average, less than 0.1 percent of certificates found in Netcraft's March 2016 SSL Report were served with the HPKP header,” the post says, adding-- “Where it has been deployed, a third of webmasters have mistakenly set a broken HPKP policy. With so many mistakes being made, the barrier to entry is evidently high.”

Putting that into numbers, Netcraft says only 3,000 certificates are using HPKP-- 4,100 sites in total are serving the public-key-pins header, but about 24.3 percent of those are making mistakes with it.

The biggest reason Netcraft gives for system admins avoiding the protocol is that while it relieves risk for users, there is also a risk for the business using HPKP.

System admininistrators have to set a policy lifetime for HPKP and if the site operator loses the certificate keys, their website will be inaccessible for the whole of that policy lifetime.

The three case studies the post provides illustrate the real challenge involved in that trade-off. For example, Github uses HPKP, but sets the policy's time-to-live at 300 seconds. That minimises user disruption if Github has a problem, but gives attackers a five-minute window. As a result, if there is an attack, anybody who has not visited the real www.github.com within the past five minutes is a potential victim.

For its part, Mozilla presents even more risk: its support site has a policy lifetime of fifteen days, painful in the case of a critical security issue.

Netcraft says that the site Pixabay takes the largest risk of all with a policy lifetime of a whole year, losing its private keys would put an end to the business, but as the post says, “Pixabay has evidently decided that robust prevention of impersonation attacks is worth the risk.”

Source: Netcraft.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer