Talk:HTTP Public Key Pinning: Difference between revisions
(15 intermediate revisions by 11 users not shown) | |||
Line 1: | Line 1: | ||
{{Talk header}} |
|||
{{WikiProject banner shell|class=C|1= |
|||
{{WikiProject Computing|importance=Low|network=yes|network-importance=Mid|security=yes|security-importance=Mid}} |
|||
{{WikiProject Cryptography|importance=Mid|computer-science=no}} |
|||
{{WikiProject Internet|importance=Mid}} |
|||
}} |
|||
== Future of HPKP == |
|||
The chrome devs want to deprecate and remove public key pinning: https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ |
|||
"This will first remove support for HTTP-based PKP (“dynamic pins”), in which the user-agent learns of pin-sets for hosts by HTTP headers. We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018." |
|||
The article should probably reflect this, but I'm unsure about phrasing and placement. |
|||
[[User:ChristophLukas|ChristophLukas]] ([[User talk:ChristophLukas|talk]]) 20:55, 27 October 2017 (UTC) |
|||
== Controversies == |
== Controversies == |
||
What happend to the following statement? Why [[special:Diff/669057552|was it removed]] by @[[User:Hello71|Hello71]]? |
What happend to the following statement? Why [[special:Diff/669057552|was it removed]] by @[[User:Hello71|Hello71]]? |
||
Line 17: | Line 30: | ||
</blockquote> |
</blockquote> |
||
: (this is not formatted very well, feel free to make less terrible) ⁓ [[User:Hello71|<span style="color:#666">Hello</span>]][[User talk:Hello71|<span style="color:#999;vertical-align:baseline;font-size:80%;font-family:serif">71</span>]] 01:28, 29 June 2015 (UTC) |
: (this is not formatted very well, feel free to make less terrible) ⁓ [[User:Hello71|<span style="color:#666">Hello</span>]][[User talk:Hello71|<span style="color:#999;vertical-align:baseline;font-size:80%;font-family:serif">71</span>]] 01:28, 29 June 2015 (UTC) |
||
:: Okay, thanks. I did not see that. Nice to have it mentioned here too. So it seems that this was a wrong information. (fortunately) --[[User:Rugk|rugk]] ([[User talk:Rugk|talk]]) 20:49, 29 June 2015 (UTC) |
|||
:::Hi, I am a co-author of the RFC and the author of https://noncombatant.org/2015/05/01/about-http-public-key-pinning/. |
|||
:::I removed all of Noloader's Controversies section. (The "by whom?" is: By Noloader. See e.g. https://www.ietf.org/mail-archive/web/websec/current/msg02306.html and other messages to that list.) As stated, the section was vague, but entirely inaccurate as far as it went. A conformant and correct client with a live pin set will only trust servers that can establish connections that pass Pin Validation *based on that pin set*, including trusting the server to change the pin set. --[[User:noncombatantorg|noncombatantorg]] 04:50 6 June 2015 UTC <span style="font-size:smaller;" class="autosigned"> — Preceding [[Wikipedia:Signatures|undated]] comment added 04:54, 6 July 2015 (UTC)</span><!--Template:Undated--> <!--Autosigned by SineBot--> |
|||
== HTTP Public Key Pinning vs static list Public Key Pinning == |
|||
Public Key Pinning is a more general mechanism which encompasses HTTP Public Key Pinning (HPKP) and static list Public Key Pinning (static pins). Furthermore, HPKP was deprecated (in favor of Certificate Transparency and Expect-CT) and removed from Chrome 72+ (see article) and Firefox, the only other implementer of HPKP, announced plans to remove support and already disabled HPKP by default on development branch.[1] |
|||
Therefore, I propose: |
|||
:1. Make Public Key Pinning into an actual article (currently it is just a redirect to "HTTP Public Key Pinning") |
|||
:2. Update "HTTP Public Key Pinning" article to clarify relationship to PKP. |
|||
:3. Update "HTTP Public Key Pinning" with the recent compatibility information (Firefox and others). |
|||
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438 |
|||
[[User:Anton.bersh|Anton.bersh]] ([[User talk:Anton.bersh|talk]]) 00:26, 14 November 2019 (UTC) |
|||
== Cloud == |
|||
Cloud [[Special:Contributions/2A00:1FA0:827:18FB:0:18:2790:1901|2A00:1FA0:827:18FB:0:18:2790:1901]] ([[User talk:2A00:1FA0:827:18FB:0:18:2790:1901|talk]]) 20:30, 22 January 2022 (UTC) |
|||
== Alternatives to certificate pinning == |
|||
This article (https://github.com/syang7081/server-authentication/wiki) proposed a method to authenticate servers and prevent MiTM attacks through digital signature verification, instead of public key validation. [[User:Syang7081|Syang7081]] ([[User talk:Syang7081|talk]]) 06:01, 30 June 2024 (UTC) |
Latest revision as of 13:03, 2 July 2024
This is the talk page for discussing improvements to the HTTP Public Key Pinning article. This is not a forum for general discussion of the article's subject. |
Article policies
|
Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL |
This article is rated C-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||||||||||||||||||||||||||||||
|
Future of HPKP
[edit]The chrome devs want to deprecate and remove public key pinning: https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ
"This will first remove support for HTTP-based PKP (“dynamic pins”), in which the user-agent learns of pin-sets for hosts by HTTP headers. We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018."
The article should probably reflect this, but I'm unsure about phrasing and placement. ChristophLukas (talk) 20:55, 27 October 2017 (UTC)
Controversies
[edit]What happend to the following statement? Why was it removed by @Hello71?
Second, the reporting mechanism is suppressed from broken pinsets. The reporting of the broken pinset is called out as MUST NOT report, so a complying user agent will be complicit in the cover up after the fact.
Was it simply wrong or what's wrong with this statement?
At least in https://tools.ietf.org/html/rfc7469#section-2.1.4 I could not find any information that the client 'must not' report broken pinsets. --rugk (talk) 22:23, 28 June 2015 (UTC)
- I put my reasoning on User talk:Noloader:
- do you have any sources for #Controversies? ⁓ Hello71 17:30, 27 June 2015 (UTC)
- Yes. This is from the IETF, which approved the standard: Comments on draft-ietf-websec-key-pinning. This is from OWASP, which is an organization dedicated to software security: Certificate and Public Key Pinning | HTTP Pinning
- the former is an email to the IETF, and the latter appears to be a) an unofficial "wiki", and b) cites... Wikipedia as the source of information. furthermore, while the first source does complain about the first "reason", it does not appear to state anything about the second, i.e. "The reporting of the broken pinset is called out as MUST NOT report". I was unable to find any "MUST NOT" sections in the RFC related to the reporting, so I am removing that part from the article. feel free to reinstate it if you have some references. ⁓ Hello71 15:52, 28 June 2015 (UTC)
- (this is not formatted very well, feel free to make less terrible) ⁓ Hello71 01:28, 29 June 2015 (UTC)
- Okay, thanks. I did not see that. Nice to have it mentioned here too. So it seems that this was a wrong information. (fortunately) --rugk (talk) 20:49, 29 June 2015 (UTC)
- Hi, I am a co-author of the RFC and the author of https://noncombatant.org/2015/05/01/about-http-public-key-pinning/.
- Okay, thanks. I did not see that. Nice to have it mentioned here too. So it seems that this was a wrong information. (fortunately) --rugk (talk) 20:49, 29 June 2015 (UTC)
- I removed all of Noloader's Controversies section. (The "by whom?" is: By Noloader. See e.g. https://www.ietf.org/mail-archive/web/websec/current/msg02306.html and other messages to that list.) As stated, the section was vague, but entirely inaccurate as far as it went. A conformant and correct client with a live pin set will only trust servers that can establish connections that pass Pin Validation *based on that pin set*, including trusting the server to change the pin set. --noncombatantorg 04:50 6 June 2015 UTC — Preceding undated comment added 04:54, 6 July 2015 (UTC)
HTTP Public Key Pinning vs static list Public Key Pinning
[edit]Public Key Pinning is a more general mechanism which encompasses HTTP Public Key Pinning (HPKP) and static list Public Key Pinning (static pins). Furthermore, HPKP was deprecated (in favor of Certificate Transparency and Expect-CT) and removed from Chrome 72+ (see article) and Firefox, the only other implementer of HPKP, announced plans to remove support and already disabled HPKP by default on development branch.[1] Therefore, I propose:
- 1. Make Public Key Pinning into an actual article (currently it is just a redirect to "HTTP Public Key Pinning")
- 2. Update "HTTP Public Key Pinning" article to clarify relationship to PKP.
- 3. Update "HTTP Public Key Pinning" with the recent compatibility information (Firefox and others).
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438 Anton.bersh (talk) 00:26, 14 November 2019 (UTC)
Cloud
[edit]Cloud 2A00:1FA0:827:18FB:0:18:2790:1901 (talk) 20:30, 22 January 2022 (UTC)
Alternatives to certificate pinning
[edit]This article (https://github.com/syang7081/server-authentication/wiki) proposed a method to authenticate servers and prevent MiTM attacks through digital signature verification, instead of public key validation. Syang7081 (talk) 06:01, 30 June 2024 (UTC)
- C-Class Computing articles
- Low-importance Computing articles
- C-Class Computer networking articles
- Mid-importance Computer networking articles
- C-Class Computer networking articles of Mid-importance
- All Computer networking articles
- C-Class Computer Security articles
- Mid-importance Computer Security articles
- C-Class Computer Security articles of Mid-importance
- All Computer Security articles
- All Computing articles
- C-Class Cryptography articles
- Mid-importance Cryptography articles
- WikiProject Cryptography articles
- C-Class Internet articles
- Mid-importance Internet articles
- WikiProject Internet articles