A script to simplify HPKP

HPKP, or HTTP Public Key Pinning, is one of the very few ways to deal with fraudulent or impersonated certificates. Unfortunately it’s considered too risky by most to deploy publicly, and those who do choose to employ it often do so incorrectly. In fact, a recent Netcraft article points out that of all web servers surveyed, a paltry 0.09% of them utilized HPKP. Of those, a further ~25% didn’t configure their header correctly, leaving the mechanism totally ineffective for its intended purpose. It’s hard to blame those who got it wrong. After all, there are a plethora of minor details involved with setting up HPKP that are easy to overlook. It just so happens that I’ve written a script to make the process a whole lot easier to get right.
Continue reading

Let’s Encrypt with Hiawatha

Let’s Encrypt is a popular, free certificate authority provided by the Internet Security Research Group (ISRG). It is 100% automated, open source, and the results of each signing or revocation are transparent to the public. Let’s Encrypt makes it easy for admins to not only utilize HTTPS everyplace, but its emphasis on automation allows us to do so in a hassle-free manner. Recent versions of the security-oriented Hiawatha webserver ship with a script that makes this process even easier.
Continue reading