Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

There is HPKP (HTTP Public Key Pinning) which servers use to tell the client\'s

ID: 654716 • Letter: T

Question

There is HPKP (HTTP Public Key Pinning) which servers use to tell the client's web browser which certificates to trust (in the future) for the domain that is being contacted.
Google's Chrome and Mozilla's FireFox bring their own lists of websites that are pinned to certain certificates. (Google calls an entry in this list "a pinset".)

How can I add certificate pinning for other domains to my web browser (e.g. FireFox)?

Is there a reason why there is no option to "Pin this certificate to this URI" when viewing the details of a certificate in a web browser? Would it undermine the concept of CAs, or is it just not implemented?

Explanation / Answer

HPKP does not address this need.

HPKP is an extension to the HTTP protocol allowing website administrators to provide specific pining information to the browser, allowing:

+ To check that at least one of the certificate composing the authentication chain of the current HTTPS connection (depending on the platform architecture architecture, the server administrator may choose not to pin the final certificate but an intermediary or the root one instead),
+ Present an alternative Pin corresponding to backup certificate in case the primary one is lost/leaked/etc, so clients keep the ability to access the website after the certificate has been changed,
+ Tell the browser if the certificate pining should also be enable for sub-domains or not,
+ Tell the browser how long the pin is applicable in accordance with potential key migration schedule.

Would an HPKP set improperly, the browser will deny any access to the website without any direct recourse for the user. All the details above are mainly known and controlled by the server administrator, and not the final user, therefore the final user has no way to configure properly an HPKP pin in his browser.

What you may look for, instead, is for the browser to store some information concerning the certificates presented by non HPKP websites, and be able to alert you upon certificate change, up to the user then to check the new certificate and agree to continue if everything seems in order. Such feature already exists, at least on Firefox, but is handled by addons such as Certificate Patrol.

Related Questions

There has been discussion about people moving from Earth to Mars in the future.
Question #1489730
There has been much debate about the accuracy of financial information in the he
Question #125523
There has been some concern in recent years over the possible health effects fro
Question #1344281
There has been some concern in recent years over the possible health effects fro
Question #1344341
There has been some concern in recent years over the possible health effects fro
Question #1364496
There has been some concern in recent years over the possible health effects fro
Question #1364557
There has been some debate about whether community-based participatory research
Question #248795
There has been some heated debate as to whether the laws of physics allow for tr
Question #2283453
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
There is FOUR parts to this question. (A, B, C, & D) ANSWER ALL PARTS. SHOW YOUR
Next
There is \"proof\" out there today that suggests smoking is directly linked to c

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.