New Tool: PinPatrol add-on for FirefoxElevenPaths 25 julio, 2016 We have created a new tool for improving the experience using HSTS and HPKP in Firefox. This tool is a Firefox add-on that shows this information in a human readable way. It is very easy to use and it can provide useful information about the HSTS and HPKP data stored by your browser. HSTS and HPKP The HTTP Strict Transport Security protocol (HSTS) can turn HTTP requests into HTTPS from the browser itself. If a server decides to send HSTS headers to a browser, any subsequent visit to the domain from that browser is automatically and transparently converted to HTTPS from the browser, avoiding unsafe requests from the starting point of the connection itself. The application of the HSTS protocol is transparent to the user, i.e., browsers. themselves are responsible for redirecting and remembering for how long domains should be visited via HTTPS if they have notified via HSTS. The domain transmits HSTS information to the browser with the Strict-Transport-Security header. The idea behind the certificate pinning is to be able to detect when a chain of trust has been modified. In order to do so, a digital certificate present in a certificate chain needs to be unequivocally associated, usually in the browser, with a specific domain. Thus, a domain A, e.g. www.elevenpaths.com, will be linked to a specific certificate/certification authority B. If for any reason a different certification authority B’ (which depends on a trusted root certification authority) tries to issue a certificate associated with domain A, an alarm is launched. In general, any modification of the certification chain is suspected of a possible alteration. That is what HPKP (HTTP Public Key Pins) is for. Description Firefox supports HSTS from version 4 and HPKP from version 32. This is a Firefox extension that shows in a readable format, the state of HSTS and HPKP domains stored by the browser. Firefox does not have a native way to show these domains or this functionality properly documented. An example of what the add-on shows Functionality The information provided by the table is the one stored by the browser, «translated» into a more human readable way. Domain: Domain protected under HSTS or HPKP. Score: This score is a Firefox value. It increases by one every different day (24 hours at least) the domain is visited. Date: Last day the domain was visited. It is calculated by Firefox using the number of days since 01/01/70. Expiration Date: Max-age of HSTS or HPKP, in other words, when the entry will expire. SecurityPropierty: This is a Firefox value. SecurityPropertyUnset if 0, SecurityPropertySet if 1 or SecurityPropertyKnockout if 2. IncludeSubdomains: Whether the HSTS or HPKP directive includes subdomains. HPKP Pins: List of pins in the HPKP header. PinPatrol is available from Mozilla official repository. Hope you find it useful. Internalia Group elige nuestra app Latch para proteger su app estrella y a sus usuariosComienza la Segunda Temporada de Eleven Paths Talks: ¡No dejes que te lo cuenten!
Diego Samuel Espitia Vulnerabilidades, amenazas y ciberataques a sistemas industriales Los entornos industriales se han ido convirtiendo cada vez más en un objetivo para los ciberdelincuentes
Telefónica Tech Boletín semanal de ciberseguridad, 13—20 de mayo VMware corrige vulnerabilidades críticas en varios de sus productos VMware ha publicado un aviso de seguridad con el fin de corregir una vulnerabilidad crítica de omisión de autenticación que afecta...
Jennifer González Qué es la huella digital y por qué es importante conocerla para proteger a los menores en internet Como explicaba en mi anterior artículo sobre las cibervictimizaciones en los menores y el aumento que cada año se registra, hoy querría hablar sobre la importancia de concienciarnos sobre...
Telefónica Tech Boletín semanal de ciberseguridad, 7—13 de mayo Vulnerabilidad en BIG-IP explotada para el borrado de información El pasado 4 de mayo F5 corregía entre otras, una vulnerabilidad que afectaba a dispositivos BIG-IP (CVE-2022-1388 CVSSv3 9.8), que podría...
Juan Elosua Tomé Shadow: tecnología de protección contra filtraciones de documentos Shadow, de Telefónica Tech, es una tecnología que permite identificar el origen de una fuga de información como la sucedida recientemente en EE UU
David García El nuevo final de las contraseñas Password, contraseña, clave, frase de paso… ¿Cuántos puedes recordar si no usas un gestor de contraseñas? Es más ¿Usas un gestor?