Proposal to improve security with HSTS and Public-key-pins #2156
Labels
Milestone
Comments
|
Yes, this was on my mind as well, and at least HSTS should be fairly easy to implement. Any help on this is appreciated, since I cannot promise anything time-wise. |
|
cc @karlitschek That's what we basically discussed :-) |
|
@LukasReschke Thanks :-) |
|
Since this issue has been open vor a long time: Is there any progress or is anyone working on implementing HPKP for the client? |
|
@TheDD No. It's simply not high enough on the priority list right now. |
|
Qt 5.9 has QNetworkAccessManager::setStrictTransportSecurityEnabled we could use. But since we store the redirected URL in the settings, i don't think it is necessary. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Since firefox (partially since 32 and full till 34) and chrome support HSTS and HTTP public key extension, I would recommend to implement these feature also in the client. This means:
- HSTS: Client know the server has only secured communication.
- HTTP public key extension (Public-Key-Pins (PKP)): So use this information to verify if the stored hash is okay with the hash of the given cert and is not changed. If something is wrong show a warning.
--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/4188601-proposal-to-improve-security-with-hsts-and-public-key-pins?utm_campaign=plugin&utm_content=tracker%2F216457&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F216457&utm_medium=issues&utm_source=github).The text was updated successfully, but these errors were encountered: