Security/Server Side TLS: Difference between revisions

Security/Server Side TLS (view source)

Revision as of 18:58, 19 June 2015

412 bytes removed , 19 June 2015

Undo revision 1080937: please submit your changes on github. direct modifications are not permitted.

Ulfr

Confirmed users

529

edits

@@ Line 373: / Line 373: @@
 = HPKP: Public Key Pinning Extension for HTTP =
-HPKP is an an Internet RFC, see see [[http://tools.ietf.org/html/rfc7469 RFC7469]] (released April 2015).  The ''Public-Key-Pins'' HTTP header is sent by a server to a client, to indicate the  certificates related to the hashes sent should be pinned in the client. The client would thus refuse to establish a connection to the server if the pinning does not comply.
+See [[http://tools.ietf.org/html/rfc7469 RFC7469]].
-It's currently supported by Chrome and Firefox, both version >=35. Microsoft browsers as of June 2015 don't support this. Exempt from this are local CAs -- like antivirus software or "enterprise appliances" -- which deploy a local CA in the browser.
+HPKP is an '''experimental''' HTTP header sent by a server to a client, to indicate that some certificates related to the site should be pinned in the client. The client would thus refuse to establish a connection to the server if the pining does not comply.
-HPKP is recommended on production sites which need a high level of trust -- supposed the operators understand the concept of backup keys thoroughly. Otherwise it can lead to availability problems.   More information can be found on the [[https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning MDN description page]].
+Due to its experimental nature, HPKP is currently '''not''' recommended on production sites. More informations can be found on the [[https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning MDN description page]].
 = Recommended Server Configurations =