Hi all, Michael Kranch and I have undertaken a similar effort this summer to study both HSTS and key pinning in practice. Standard disclaimer, this is a working draft that hasn't been peer reviewed yet (it's currently under submission), but here's a draft of our findings: http://jbonneau.com/doc/KB14-hsts_pinning_survey_working_draft.pdf
Compared to Lucas et al.'s paper our crawl was actually slightly smaller (top 10k sites) but is more up-to-date and we checked for a few more things. In particular we have a breakdown of bugs due to errors with the interaction of cookies and pinning/HSTS and a survey of pinning "mixed content" which I haven't seen documented previously. We'll get the code up publicly soon as well. Hopefully our work is also of interest to this list and we'd very much appreciate any feedback! Cheers, Joe On Sun, Aug 10, 2014 at 7:38 AM, Yoav Nir <[email protected]> wrote: > > On Aug 10, 2014, at 12:59 PM, Tobias Gondrom <[email protected]> > wrote: > > > Hi Jeff, > > > > thanks for sharing. Good paper and interesting read. > > > > Even though things are slowly picking up in adoption, a bit > > disappointing it's been only 277 out of 100000 sites in Oct 2013. (on a > > personal note: this is consistent with my personal anecdotal experience: > > as part of overall secure development training, I also mention HSTS to > > developers a couple of times per year, and so far nearly none of them > > used it before…) > > My anecdotal evidence is that I tried to promote it at the company where I > work. We sell (among other things) an SSL-VPN gateway. That is pretty much > a pre-packaged web server, configurable to provide access to company > resources such as email, ERP and whatever else employees need over a web > interface. > > At first this looked to me like a great candidate for HSTS - it’s only > HTTPS, no HTTP. It’s pre-packaged, so we could add it without the > administrators needing to do any work. In the end, what killed the idea was > what happens when certificates expire or when a valid certificate is > replaced by an almost-valid certificate (missing alternate name). The > administrators of our products run the gamut from IT professionals who have > been through our administration courses all the way to the CEO’s nephew > who’s really good with computers (‘cause he’s got his own Facebook profile > and everything). We felt it was too risky to just ship the server with HSTS > on. > > It’s still possible to turn it on by editing some Apache configuration > files, but you really want security to be on by default. > > Yoav > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec >
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
