Source | Destination | Referrer |
---|---|---|
https://example.com/page-one | https://example.com/page-two | https://example.com/page-one |
https://example.com/page-one | https://google.com/ | https://example.com |
https://example.com/page-one | http://example.com/page-two | NULL |
https://example.com/page-one | http://google.com/ | NULL |
Fascinating thread from a leader in HTTPS ecosystem — providing HPKP capability to unvetted web developers was a mistake, in retrospect. https://t.co/qUjaXym7uT
— SwiftOnSecurity (@SwiftOnSecurity) 24 Aug 2017
tl;dr the people who standardized HPKP say don't use it, it sounds like a cool hedge, but the risk incredible long-term for theoretical gain
— SwiftOnSecurity (@SwiftOnSecurity) 24 Aug 2017
But pinning is terrible - and harms the ecosystem more than helps, as we've seen. It was a bad thing to standardize 😔
— Ryan Sleevi (@sleevi_) 24 Aug 2017
Interesting. I should buy you some scotch so I can learn more.
— Mark Nottingham (@mnot) 24 Aug 2017
No scotch needed to get me to apologize for my sins and the painful lessons learned. I actively discourage it now, even w/ ecosystem risk
— Ryan Sleevi (@sleevi_) 24 Aug 2017
But pinning your own key is a still a footgun. I know of several who pinned to keys they couldn't legit get certs for when needed
— Ryan Sleevi (@sleevi_) 24 Aug 2017
Locate this session at the DrupalCon Vienna website
https://events.drupal.org/vienna2017/sessions/using-your-headers-better-security
Take the survey!
https://www.surveymonkey.com/r/drupalconvienna