2
edits
Security/Server Side TLS: Difference between revisions
Jump to navigation
Jump to search
It's not at all experimental anymore. It should be noted though what is problematic
(push version 3.7) |
(It's not at all experimental anymore. It should be noted though what is problematic) |
||
| Line 373: | Line 373: | ||
= HPKP: Public Key Pinning Extension for HTTP = | = HPKP: Public Key Pinning Extension for HTTP = | ||
HPKP is an an Internet RFC, see see [[http://tools.ietf.org/html/rfc7469 RFC7469]] (released April 2015). The ''Public-Key-Pins'' HTTP header is sent by a server to a client, to indicate the certificates related to the hashes sent should be pinned in the client. The client would thus refuse to establish a connection to the server if the pinning does not comply. | |||
It's currently supported by Chrome and Firefox, both version >=35. Microsoft browsers as of June 2015 don't support this. Exempt from this are local CAs -- like antivirus software or "enterprise appliances" -- which deploy a local CA in the browser. | |||
HPKP is recommended on production sites which need a high level of trust -- supposed the operators understand the concept of backup keys thoroughly. Otherwise it can lead to availability problems. More information can be found on the [[https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning MDN description page]]. | |||
= Recommended Server Configurations = | = Recommended Server Configurations = | ||