HSTS and HPKP
The HTTP Strict Transport Security protocol (HSTS) can turn HTTP requests into HTTPS from the browser itself. If a server decides to send HSTS headers to a browser, any subsequent visit to the domain from that browser is automatically and transparently converted to HTTPS from the browser, avoiding unsafe requests from the starting point of the connection itself. The application of the HSTS protocol is transparent to the user, i.e., browsers. themselves are responsible for redirecting and remembering for how long domains should be visited via HTTPS if they have notified via HSTS. The domain transmits HSTS information to the browser with the Strict-Transport-Security header.
The idea behind the certificate pinning is to be able to detect when a chain of trust has been modified. In order to do so, a digital certificate present in a certificate chain needs to be unequivocally associated, usually in the browser, with a specific domain. Thus, a domain A, e.g. www.elevenpaths.com, will be linked to a specific certificate/certification authority B. If for any reason a different certification authority B’ (which depends on a trusted root certification authority) tries to issue a certificate associated with domain A, an alarm is launched. In general, any modification of the certification chain is suspected of a possible alteration. That is what HPKP (HTTP Public Key Pins) is for.
Firefox supports HSTS from version 4 and HPKP from version 32. This is a Firefox extension that shows in a readable format, the state of HSTS and HPKP domains stored by the browser. Firefox does not have a native way to show these domains or this functionality properly documented.
|An example of what the add-on shows|
The information provided by the table is the one stored by the browser, “translated” into a more human readable way.
- Domain: Domain protected under HSTS or HPKP.
- Score: This score is a Firefox value. It increases by one every different day (24 hours at least) the domain is visited.
- Date: Last day the domain was visited. It is calculated by Firefox using the number of days since 01/01/70.
- Expiration Date: Max-age of HSTS or HPKP, in other words, when the entry will expire.
- SecurityPropierty: This is a Firefox value. SecurityPropertyUnset if 0, SecurityPropertySet if 1 or SecurityPropertyKnockout if 2.
- IncludeSubdomains: Whether the HSTS or HPKP directive includes subdomains.
- HPKP Pins: List of pins in the HPKP header.
PinPatrol is available from Mozilla official repository. Hope you find it useful.