Collaborate Disseminate
In the security test report, I have a recommendation to add Expect-CT header to the HTTP response from web application, additionally developers set this to:
Expect-CT: max-age=0, report-uri=
I am not sure if it is a good idea to add this… Continue reading Adding Expect-CT header to HTTP response
We are rolling out a new mobile app. Our security team recommends us to pin the public key in order to avoid MITM. iOS already has CT checks and we can enable that for the Android app as well.
The security team’s arguments for pinning ar… Continue reading HTTP Public Key Pinning vs Certificate Transparency, which is better and why?
HPKP was used to ensure that a browser accepts to connect to a site only if the public key he has on file is the one presented by the target site. I saw it as a way to make deep content inspection more complicated (some sites… Continue reading How effective is Expect-CT against content inspection in an enterprise context?
I wanted to test the Expect-CT security header. So I searched for sites and found that LinkedIn uses the Expect-CT header:
Expect-CT: max-age=86400, report-uri=”https://www.linkedin.com/platform-telemetry/ct”
I configured… Continue reading Why isn’t an Expect-CT violation report sent when I use a certificate generated with Burp Suite?
I’ve been trying to understand how does Chrome interact with CT log servers. According to what I’ve read so far, Chrome sends inclusion proof requests (“GET https:///ct/v2/get-proof-by-hash” – https://tools.ietf.org/html/draft-ietf-trans-r… Continue reading How/When does Chrome queries Certificate Transparency (CT) log servers to ask for inclusion proof of certificates and how can I debug them?
The commonly suggested wisdom for local development environments with HTTPS is to use a self-created Root CA and use certificates issued from that CA. However, Chrome requires Certificate Transparancy since about a year now, … Continue reading local environment development and HTTPS: interaction with Chrome requirement of CT logs
When you open up Chrome’s DevTools and switch to the Security Tab you’ll see the message This request does not comply with Chrome’s Certificate Transparency policy. on some origins. (Example: https://de.ioam.de when you visit… Continue reading What does "This request does not comply with Chrome’s Certificate Transparency policy." in Chrome’s Security Tab mean?
The U.S. Department of Homeland Security (DHS) has today issued an “emergency directive” to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains, within next 10 business days…. Continue reading DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains
The Chrome team has announced that “[they]’ll be moving forward with [their] plan to require Certificate Transparency for all newly issued, publicly trusted certificates starting in April 2018.”
It’s July 2018 now. Is Certi… Continue reading How will Certificate Transparency be enforced?
Is there a common place where we can download all the root CA certs and get frequent updates for changes? This is one place where we can find the CAs, but we need to keep on checking for the updates. Are there any other place… Continue reading Where to get all the root CA certs?