tag:blogger.com,1999:blog-9099779.post7042428755635296325..comments2024-03-23T23:09:17.426+01:00Comments on StalkR's Blog: HSTS preloading, public key pinning and ChromeStalkRhttp://www.blogger.com/profile/15113480981262771031noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-9099779.post-6466414093948253532014-12-31T19:14:37.361+01:002014-12-31T19:14:37.361+01:00https://www.youtube.com/watch?v=pWdd6_ZxX8c
I thi...https://www.youtube.com/watch?v=pWdd6_ZxX8c<br /><br />I think it's working as intended that things break if you're date setting is wrong. Date is important for this stuff that expires, and that's why we have automatic ways to set it like ntp.<br />Now ntp isn't with its own issues, and that's an interesting topic to fix.StalkRhttps://www.blogger.com/profile/15113480981262771031noreply@blogger.comtag:blogger.com,1999:blog-9099779.post-17829881457127656582014-12-31T16:14:05.496+01:002014-12-31T16:14:05.496+01:00Public Key Pinning can be a problem for visitors w...Public Key Pinning can be a problem for visitors with wrong dates on their computers. See https://www.dnswatch.info/articles/public-key-pinning-date-problem<br /><br />The draft needs to be reworked.DNSWatchhttps://www.dnswatch.infonoreply@blogger.comtag:blogger.com,1999:blog-9099779.post-5939508315826208672013-12-12T17:24:35.671+01:002013-12-12T17:24:35.671+01:00https://github.com/StalkR/misc/blob/master/http_pi...https://github.com/StalkR/misc/blob/master/http_pins.py not found.<br /><br />Any chance you'd mind resharing? I'm trying to implement cert pinning in C#, but I don't think I'm hashing the SPKI properly. I'm having trouble generating a matching hash for Equifax Secure CA.<br /><br />Any help would be greatly appreciated.Jacob Crosshttps://www.blogger.com/profile/14200419634695153685noreply@blogger.comtag:blogger.com,1999:blog-9099779.post-5117174616253467212012-11-29T18:06:26.841+01:002012-11-29T18:06:26.841+01:00Since Chromium is open source, you can have more i...Since Chromium is open source, you can have more information on this by looking at the source code.<br />The chrome://net-internals/#hsts page telling you "OPPORTUNISTIC" is done by this code: http://code.google.com/searchframe#OAMlx_jo-ck/src/chrome/browser/resources/net_internals/hsts_view.js&exact_package=chromium&q=opportunistic&type=cs&l=163<br /><br />Then you can view the code describing what is this mode "1": http://code.google.com/searchframe#OAMlx_jo-ck/src/net/base/transport_security_state.h&exact_package=chromium&q=DomainState&type=cs&l=51 it's just the default.<br /><br />So opportunistic means HSTS is not enforced: this means you can reach google.com without https - which is true.<br /><br />However, try to look up mail.google.com, it is in mode STRICT meaning HSTS is enforced: you cannot access it without https.StalkRhttps://www.blogger.com/profile/15113480981262771031noreply@blogger.comtag:blogger.com,1999:blog-9099779.post-78663095637101364272012-11-29T12:57:42.993+01:002012-11-29T12:57:42.993+01:00www.google.com actually has OPPORTUNISTIC instead ...www.google.com actually has OPPORTUNISTIC instead of STRICT for the mode. Didn't find any information on that mode...floydhttp://floyd.chnoreply@blogger.comtag:blogger.com,1999:blog-9099779.post-64514013260591018342012-11-24T10:21:13.583+01:002012-11-24T10:21:13.583+01:00Good catch thank you, fixed.Good catch thank you, fixed.StalkRhttps://www.blogger.com/profile/15113480981262771031noreply@blogger.comtag:blogger.com,1999:blog-9099779.post-65879339552549253392012-11-23T19:18:54.209+01:002012-11-23T19:18:54.209+01:00Conditional for header insertion cites wrong modul...Conditional for header insertion cites wrong module. Should be mod_headers.Gary Gapinskihttp://garygapinski.com/noreply@blogger.com