Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

HPKP and HSTS. Global analysis and implementation

4,143 views

Published on

We have collected and visited two different sources of domains and webpages, Alexa top million domains, and Shodan. These results come from November 2016 searches. From those domains, we have restricted the search to be able to determine which ones use HSTS or HPKP over HTTP or HTTPS, and even which of them uses different configurations for the headers. We have tried to determine not only the quantity but the "quality" of the implementation

Published in: Internet
  • Be the first to comment

HPKP and HSTS. Global analysis and implementation

  1. 1.   
  2. 2.  
  3. 3.  
  4. 4. 33827 9723 5794 4717 7305 2957 1230 0 5000 10000 15000 20000 25000 30000 35000 40000 Strict-Transport-Protocol IncludeSubDomains preload Full implement (Only HTTPS) HSTS implemented in Alexa HTTPS HTTP
  5. 5.    89 211 71 58 17 2 2 0 50 100 150 200 250 Domains using HPKP pins: 450 Number of pins offered by top million Alexa domains 1 2 3 [4,6] [7,9] [10,12] >=13
  6. 6. 17% 74% 9% Pinned certificates in the trust chain for the top million Alexa domains using HPKP Root Intermediate Leaf
  7. 7. 2,76% 2,49% 25,14% 31,77% 5,52% 11,60% 20,72% 0,00% 5,00% 10,00% 15,00% 20,00% 25,00% 30,00% 35,00% 86400 604800 2592000 5184000 15768000 31536000 Others Percentageofdomains HPKP max-age value Most used max-age values for HPKP
  8. 8. 6,26% 0,01% 6,10% 4,78% 43,98% 24,60% 14,29% 0,00% 5,00% 10,00% 15,00% 20,00% 25,00% 30,00% 35,00% 40,00% 45,00% 50,00% 0 432 15552000 15768000 31536000 63072000 Others Percentageofdomains HSTS max-age value Most used max-age values for HSTS
  9. 9.    o o o o 5794 2056 662 0 1000 2000 3000 4000 5000 6000 7000 Preloading status in Alexa's top 1M domains Include preload header (https) Preloaded (Chromium list) Preloaded with errors
  10. 10. 0,04% 0,25% 0,75% 7,62% 32,00% 59,45% 0,00% 10,00% 20,00% 30,00% 40,00% 50,00% 60,00% 70,00% Errors classification in domains Other invalid_cert_chain www_first preload_missing max_age_too_low include_sub_domains_missing
  11. 11.  
  12. 12.         

×