Only 0.1% of you are doing web server security right

Forum Moderators: phranque

Message Too Old, No Replies

Only 0.1% of you are doing web server security right

Certificate pinning is a useful thing. So why do hardly any use it?

tangor

6:55 am on Mar 24, 2016 (gmt 0)

Venerable net-scan outfit Netcraft has issued what cliché would describe as “a stinging rebuke” to sysadmins the world over, for ignoring HTTP Public Key Pinning (HPKP).

Pinning is designed to defend users against impersonation attacks, in which an attacker tricks a certificate authority to issue a fraudulent certificate for a site.

If the attacker can present a user with a certificate for fubar.com, they can impersonate the site, opening a path for malfeasance like credential harvesting.

HPKP would address – but as Netcraft says here, it only works if sysadmins apply it at the server, and they're not.

“Less than 0.1% of certificates found in Netcraft's March 2016 SSL Survey were served with the HPKP header,” the post says, adding: “Where it has been deployed, a third of webmasters have mistakenly set a broken HPKP policy. With so many mistakes being made, the barrier to entry is evidently high.”
[theregister.co.uk...]

bill

6:03 pm on Mar 25, 2016 (gmt 0)

I looked into this for some of my sites, but shied away from implementation due to accessibility concerns. If your audience isn't on the latest browsers then there can be issues even viewing the site. Who wants to add a security feature that make your site invisible to a portion of users? Also, as pointed out in the article, it not an easy setup.