On Thursday, September 28, 2017 at 12:06:50 PM UTC-5, Gervase Markham wrote:
> Does anyone have stats on HPKP prevalence and duration distribution? > Ideally combined with whether the longer time periods are pinning to > roots, intermediates or EE certs? > > Gerv Of the 1.97M unique domains scanned by the Mozilla Observatory, 10559 of them utilize HTTP Public Key Pinning with at least two pins. Here are the twenty most common max-age settings for those domains: Number of Domains max-age 5480 2592000 2060 5184000 724 31536000 314 15768000 168 86400 144 7776000 138 604800 129 1296000 127 10 122 15552000 112 3600 83 300 73 63072000 70 51840000 64 60 42 600 30 0 30 1209600 27 259200 20 864000 30 days in the most common setting, followed by 60 days. If you cap max-age at 1 year to limit outliers, the average max-age normalized by the number of domains is 70.83 days. You can see the entirety of the data here, if you want to play around with it: https://docs.google.com/spreadsheets/d/1zZp76ZOWSXe8W346oa1tFbdVH1KH_XhaM_07a6Ej_b8/edit?usp=sharing Please let me know if there's anything else I can get you! _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy