-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamic HPKP pinning tests #88
Comments
I think the design should be like in https://hsts.badssl.com/. The only thing you have to keep in mind is that the image which indicates the state of HPKP should be loaded over a different domain than https://hpkp.badssl.com/ (e.g.), because otherwise you cannot access https://hpkp.badssl.com/ any more... 😃 |
One more. A 90 second timeout. Technically correct, but not very useful. |
What is this meant to test? I am happy to add as many subdomains and paths as are useful, but each of them should be useful for testing some sort of security feature (preferentially browser UI). |
This wil not give an error in the browser UI. Just like having a single pin will not give an error. However, these cases are still considered bad practise because having your hpkp pin exipire after 90 seconds still allows an attacker to mitm you if you haven't visited the site in less then 90 seconds before the attack. Similarly the single pin is bad because you will effectively brick your site for everybody that visited your site before in the timeout period if you lose your private key. My usecase Is that I'm using badssl as a testbed for testssl.sh |
Hmm, that sounds pretty reasonable. Would it be sufficient to have these configurations at different paths on the same domain (much less fuss than creating a separate domain for each one)? |
For testbed purposes it would be sufficient, as testssl.sh is just a shellscript and it doesn't stick to the rules of hpkp. I would go for separate domains if the testcase bricks the site. Fatal mistakes that each need a separate site:
You could actually combine these into a single site. Have two pins, one for something you pulled from /dev/random and the other that pins a CA that you don't use. One site that has the non-fatal mistakes:
Since both test cases can actually live inside the same header, there is no need to have these on separate URLs. You could add a correctly configured site that has:
|
(Followup to #15.)
The text was updated successfully, but these errors were encountered: