search

mozilla / http-observatory-website

Mozilla Observatory (Website)
https://observatory.mozilla.org/
Mozilla Public License 2.0
308 stars 55 forks source link

HPKP - HTTP Public Key Pinning #172

Open benkhayes opened 6 years ago

benkhayes commented 6 years ago

I suggest removing the optional HTTP Public Key Pinning method in Mozilla Observatory due to the low adoption rate, lack of support from Google and potential issues if configured improperly by eager developers or malicious users who gain access to a server.

Sources: https://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/ https://ordina-jworks.github.io/security/2018/02/12/HPKP-deprecated-what-now.html https://scotthelme.co.uk/the-death-knell-for-hpkp/ https://scotthelme.co.uk/im-giving-up-on-hpkp/ https://www.smashingmagazine.com/be-afraid-of-public-key-pinning/ https://raymii.org/s/blog/Chrome_68_is_deprecating_HPKP.html https://thenewstack.io/security-researchers-lose-faith-http-public-key-pinning/ https://www.thesslstore.com/blog/google-deprecates-hpkp/

leeoniya commented 4 years ago

@april

HPKP is now listed as deprecated on MDN; it's time to drop it.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning

dbaron commented 4 years ago

HPKP support (at least in the default configuration) has been removed from Chromium (bug, platform status) and from Gecko (bug).

floatingatoll commented 4 years ago

I updated mozilla/http-observatory#421 today to resolve the test failures in my initial submission.