Re: [websec] Sites with Key Pinning Headers (not preloaded pins)
Joseph Bonneau <jbonneau@gmail.com> Thu, 08 January 2015 14:54 UTC
Return-Path: <jbonneau@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CA3E1A0270 for <websec@ietfa.amsl.com>; Thu, 8 Jan 2015 06:54:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iom6O_bcaZpX for <websec@ietfa.amsl.com>; Thu, 8 Jan 2015 06:54:27 -0800 (PST)
Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78FD11A6F0A for <websec@ietf.org>; Thu, 8 Jan 2015 06:54:26 -0800 (PST)
Received: by mail-lb0-f179.google.com with SMTP id z11so3252473lbi.10 for <websec@ietf.org>; Thu, 08 Jan 2015 06:54:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=PZf7e9f/TZGVaa1R+Pmbx3TwI9xZuaskduXkPhk6/g8=; b=mUEFPgK4vuUDTxcfUqr7k2XXnNCiIjpMrEgwGYVILc+ppEeSySqhkVQoqGiGppqEeX ufydQgjM/JmZhDIEwBWDgy58g6KP993bumisJ7ojSlinFw7LR9MOlFUVG42YaQfiAFOc cYyN/JliBxZ2CIAPr6/TvLUDKvaqGfFA6rS3a3SKIZv3YLNA43pv8OZ22uWwlAm+qAFm Wl+lvbU6xsWfpa4HNwVxxIMuHMzNZ+nrlbUvgK0pKXGBAluBmHZ/KU2giy80aYgW/1Ym iL3OTF9t9KIEdzANbidImEyVrRiZstURwaSXjPvN/IrvG7/LqhI3dIrliLQF7I+x3Ihw nAHQ==
X-Received: by 10.112.41.234 with SMTP id i10mr14491689lbl.25.1420728864281; Thu, 08 Jan 2015 06:54:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.114.11.69 with HTTP; Thu, 8 Jan 2015 06:54:04 -0800 (PST)
In-Reply-To: <54AE6825.7010203@it.aoyama.ac.jp>
References: <CAH8yC8=XEr9q8VHarucKa0rVqSPt3=oDzDRWXA3_u4rkhpZmoQ@mail.gmail.com> <8E436DD1-8EFB-4270-81CA-717B0FDD9A4F@gmail.com> <54AE6825.7010203@it.aoyama.ac.jp>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Thu, 08 Jan 2015 14:54:04 +0000
Message-ID: <CAOe4UikyvsmV3-5jV9kM86RT-K5_u1Vr-eUXAkDGWLfy7PEJuA@mail.gmail.com>
To: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>
Content-Type: multipart/alternative; boundary="001a1134593c471b9c050c253796"
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/RSj6-XB86id_VgNM9tx25NTEY8Y>
Cc: Chris Evans <cevans@google.com>, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>, "Michael J. Kranch" <mkranch@princeton.edu>
Subject: Re: [websec] Sites with Key Pinning Headers (not preloaded pins)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2015 14:54:29 -0000
Hello Martin, For our upcoming NDSS paper ( http://www.jbonneau.com/doc/KB15-NDSS-hsts_pinning_survey.pdf), we did a crawl of the top 1M Alexa Domains plus every domain in Chrome's preloaded list, we observed attempts to set PKP headers at the domains listed below. Note some of these are set incorrectly (see Section IV-F of the paper). Best of luck with your research. Joe amateurdumper.com amigogeek.net detectify.com forumdenge.com frederik-braun.com freenetproject.org freitag.de homemakinghacks.com kitapyurdu.eu segu-info.com.ar skysportsng.com steventress.com timtaubert.de tone-and-tighten.com webstars2k.com www.deagostini.jp www.ilireg.ir www.metrotimes.com www.mnot.net www.munsterrugby.ie www.pennydellpuzzles.com www.userstyles.org On Jan 8, 2015 11:22 AM, Martin J. Dürst <duerst@it.aoyama.ac.jp> wrote: > Hello Chris, Chris, Ryan, and everybody, > > A student of mine is working on a small client-side implementation of key > pinning. For testing, we would like to know sites that already send the > respective headers (Public-Key-Pins and/or Public-Key-Pins-Report-Only). > Any replies on the list or in private appreciated. > > Regards, Martin. > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec >
- [websec] Comments on draft-ietf-websec-key-pinning Jeffrey Walton
- Re: [websec] Comments on draft-ietf-websec-key-pi… Yoav Nir
- Re: [websec] Comments on draft-ietf-websec-key-pi… Ryan Sleevi
- [websec] Sites with Key Pinning Headers (not prel… Martin J. Dürst
- Re: [websec] Sites with Key Pinning Headers (not … Joseph Bonneau
- Re: [websec] Sites with Key Pinning Headers (not … Pawel Krawczyk
- Re: [websec] Comments on draft-ietf-websec-key-pi… Jeffrey Walton
- Re: [websec] Comments on draft-ietf-websec-key-pi… Joseph Bonneau
- Re: [websec] Comments on draft-ietf-websec-key-pi… Jeffrey Walton
- Re: [websec] Comments on draft-ietf-websec-key-pi… Ryan Sleevi
- Re: [websec] Comments on draft-ietf-websec-key-pi… Jeffrey Walton
- Re: [websec] Comments on draft-ietf-websec-key-pi… Daniel Kahn Gillmor