apache - Public Key Pinning not working -

-

hello trying implement public-key-pinning on apache server running proxy web-app, won't work (if enter wrong hash page still displayed instead of error, should shown in firefox or chrome). sure header correct – hash correct, have tested chrome.

my configdata is

<virtualhost *:443> servername subdomain.*******.***:443 sslcertificatefile /etc/apache2/ssl/___.crt sslcertificatekeyfile /etc/apache2/ssl/___.key sslcertificatechainfile /etc/apache2/ssl/___.ca header set public-key-pins "pin-sha256=\"****\"; pin-sha256=\"****\";  max-age=120; includesubdomains"      <proxy *>        order deny,allow        allow    </proxy>      proxypass / ****:****/     proxypassreverse / ****:****/     <location />         order allow,deny         allow     </location> </virtualhost>

at first had 1 hash added second 1 in case required. doing wrong?

note: of course have mod_header enabled , loaded.

two hashes required , must 2 independent hashes. i.e. cannot pin cert , intermediate cert issued not independent. safety feature ensure have backup incase need it.

additionally policy accepted if passes cannot put in fake policy , watch fail because never accepted.

a tool check policy one: https://report-uri.io/home/pkp_analyse , other tools on same site generate policy: https://report-uri.io/home/pkp_hash

however need careful hpkp. it's easy block website and, hope don't take wrong way, doesn't sound understand hpkp suggest read more first.

there public-key-pins-report-only (which available in chrome @ present) , , allows test policy bit (well in chrome @ least) need use report-uri option (you can use above site collect reports if don't want write own service this).

i've active interest in and, if people don't mind me linking here, i've blogged in more detail here: https://www.tunetheweb.com/security/http-security-headers/hpkp/. think it's potentially dangerous option needs careful consideration before implementing.


Comments

Post a Comment

Popular posts from this blog

javascript - Chart.js (Radar Chart) different scaleLineColor for each scaleLine -

-
Image
i try , create radar chart using chart.js has various colours each scaleline, or coloured between scalelines. wondering if possible? from: to: i have working graph, though there doesn't seem method change individual scale lines. kind regards leigh you can extend radar chart type this, so chart.types.radar.extend({ name: "radaralt", initialize: function (data) { chart.types.radar.prototype.initialize.apply(this, arguments); var originalscaledraw = this.scale.draw; var ctx = this.chart.ctx; this.scale.draw = function () { var linewidth = this.linewidth; // bypasses line drawing in originalscaledraw this.linewidth = linewidth; originalscaledraw.apply(this, arguments); ctx.linewidth = this.linewidth; var scale = this; // draw chart.helpers.each(scale.ylabels, function (label, index) { // color of ...
Read more

apache - Error with PHP mail(): Multiple or malformed newlines found in additional_header -

-
suddenly have started receiving above error without changes having been made script. host 1and1 (i know...) the script still works fine on different server, , suspicion there must have been server config change has lead this, although hosts plead ignorance. there's no information on above error @ in google can find - have ideas? server running apache if helps. had similar problem. came out of blue. no php code changed. what changed: php upgraded 5.5.25-1 5.5.26. a security risk in php mail() function has been fixed , newlines in additional_headers allowed no more. because newlines mean: starts email message (and surely don't want inject newlines through headers followed evil message). what have worked fine, e.g. having newlines after headers or passing whole message additional_headers , function no more. solution : sanitize headers. no multiple newlines in additional_headers argument. these count "multiple or malformed newlines":...
Read more

java - Android – MapFragment overlay button shadow, just like MyLocation button -

-
Image
i'm struggling add shadow custom overlay button on google map. goal make custom button google's mylocation button. here's how app looks now: layout.xml <relativelayout xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" xmlns:map="http://schemas.android.com/apk/res-auto" android:layout_height="match_parent" android:layout_width="match_parent" style="@style/apptheme"> <fragment android:layout_width="match_parent" android:layout_height="match_parent" android:id="@+id/map" tools:context=".mapsactivity" android:name="com.google.android.gms.maps.supportmapfragment" android:layout_alignparentend="true" android:layout_alignparentstart="true" android:layout_alignparentbottom="true" ...
Read more