Re: [websec] Sites with Key Pinning Headers (not preloaded pins)

Joseph Bonneau <jbonneau@gmail.com> Thu, 08 January 2015 14:54 UTC

Return-Path: <jbonneau@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CA3E1A0270 for <websec@ietfa.amsl.com>; Thu, 8 Jan 2015 06:54:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iom6O_bcaZpX for <websec@ietfa.amsl.com>; Thu, 8 Jan 2015 06:54:27 -0800 (PST)
Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78FD11A6F0A for <websec@ietf.org>; Thu, 8 Jan 2015 06:54:26 -0800 (PST)
Received: by mail-lb0-f179.google.com with SMTP id z11so3252473lbi.10 for <websec@ietf.org>; Thu, 08 Jan 2015 06:54:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=PZf7e9f/TZGVaa1R+Pmbx3TwI9xZuaskduXkPhk6/g8=; b=mUEFPgK4vuUDTxcfUqr7k2XXnNCiIjpMrEgwGYVILc+ppEeSySqhkVQoqGiGppqEeX ufydQgjM/JmZhDIEwBWDgy58g6KP993bumisJ7ojSlinFw7LR9MOlFUVG42YaQfiAFOc cYyN/JliBxZ2CIAPr6/TvLUDKvaqGfFA6rS3a3SKIZv3YLNA43pv8OZ22uWwlAm+qAFm Wl+lvbU6xsWfpa4HNwVxxIMuHMzNZ+nrlbUvgK0pKXGBAluBmHZ/KU2giy80aYgW/1Ym iL3OTF9t9KIEdzANbidImEyVrRiZstURwaSXjPvN/IrvG7/LqhI3dIrliLQF7I+x3Ihw nAHQ==
X-Received: by 10.112.41.234 with SMTP id i10mr14491689lbl.25.1420728864281; Thu, 08 Jan 2015 06:54:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.114.11.69 with HTTP; Thu, 8 Jan 2015 06:54:04 -0800 (PST)
In-Reply-To: <54AE6825.7010203@it.aoyama.ac.jp>
References: <CAH8yC8=XEr9q8VHarucKa0rVqSPt3=oDzDRWXA3_u4rkhpZmoQ@mail.gmail.com> <8E436DD1-8EFB-4270-81CA-717B0FDD9A4F@gmail.com> <54AE6825.7010203@it.aoyama.ac.jp>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Thu, 8 Jan 2015 14:54:04 +0000
Message-ID: <CAOe4UikyvsmV3-5jV9kM86RT-K5_u1Vr-eUXAkDGWLfy7PEJuA@mail.gmail.com>
To: =?UTF-8?Q?Martin_J=2E_D=C3=BCrst?= <duerst@it.aoyama.ac.jp>
Content-Type: multipart/alternative; boundary=001a1134593c471b9c050c253796
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/RSj6-XB86id_VgNM9tx25NTEY8Y>
Cc: Chris Evans <cevans@google.com>, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>, "Michael J. Kranch" <mkranch@princeton.edu>
Subject: Re: [websec] Sites with Key Pinning Headers (not preloaded pins)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2015 14:54:29 -0000

Hello Martin,

For our upcoming NDSS paper (
http://www.jbonneau.com/doc/KB15-NDSS-hsts_pinning_survey.pdf), we did a
crawl of the top 1M Alexa Domains plus every domain in Chrome's preloaded
list, we observed attempts to set PKP headers at the domains listed below.
Note some of these are set incorrectly (see Section IV-F of the paper).
Best of luck with your research.

Joe

amateurdumper.com

amigogeek.net

detectify.com

forumdenge.com

frederik-braun.com

freenetproject.org

freitag.de

homemakinghacks.com

kitapyurdu.eu

segu-info.com.ar

skysportsng.com

steventress.com

timtaubert.de

tone-and-tighten.com

webstars2k.com

www.deagostini.jp

www.ilireg.ir

www.metrotimes.com

www.mnot.net

www.munsterrugby.ie

www.pennydellpuzzles.com

www.userstyles.org

On Jan 8, 2015 11:22 AM, Martin J. Dürst <duerst@it.aoyama.ac.jp>; wrote:

> Hello Chris, Chris, Ryan, and everybody,
>
> A student of mine is working on a small client-side implementation of key
> pinning. For testing, we would like to know sites that already send the
> respective headers (Public-Key-Pins and/or Public-Key-Pins-Report-Only).
> Any replies on the list or in private appreciated.
>
> Regards,   Martin.
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>