Wednesday, August 31, 2011

HSTS preloading, public key pinning and Chrome

I recently discovered Chrome's net-internals. Among other interesting things, there is a tab about HTTP Strict Transport Security (HSTS). Also, introduced with version 12/13, Chrome now has HSTS preloading and public key pinning. These two features helps improve online security:
  • HSTS preloading: browser already knows if a site has to be contacted via HTTPS only. For instance, it ensures users go to https://site even if they type http://site. This protects against MITM attacks when reaching http://site for the first time (see how sslstrip strips the "s" of https).
  • public key pinning: certificate chain must include a whitelisted public key. For instance, it ensures only whitelisted Certificate Authorities (CA) can sign certificates for *.example.com, and not any CA in your browser store.