Monday, May 14, 2018

How to get a A+ for your HTTPS websites from SSLLAB

We've explored the DNS CAA records for certificate  in  a past blog post

reference:


http://socpuppet.blogspot.com/2016/04/dns-caa-records-for-certifications.html

But another sure way to increase your SSLLAB score is to enable HPKP ( http public key pining ). This process is simple to  create and if you can inject the  HTTP-header "Public-Key-Pins:" and the pin, you can increase the  comfort level within the browser.

Here's   typical A+ score as seen on SSLAB for a website i just recently built


I'm going to focus on HPKP pinning.

1st to find your  https-site public-key is quite simple.


e.g


openssl s_client -connect www.example.com:443 | openssl x509 -noout -pubkey   > yoursitepub.key


The above example will create a file with the following  context





Alternative,  you can use the quick hpkp  calculator ;)

https://hpkpcalc.github.io/calculator.html



Tools that's helpful

https://report-uri.io/home/pkp_analyse
https://securityheaders.io/
https://crt.sh

  


In a F5, you can  apply a public key pin  with in a LTMPOLICY

http://socpuppet.blogspot.com/2017/10/building-http-pkp-header-for-insert.html


Now keep in mind Google has  redacted the HPKP  in a recent announcement and they  refer to the Expect-CT header.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

 

YMMV








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment