Public-Key-Pins test

From Projects by Davis Mosenkovs

Jump to: navigation, search

This page allows online testing of browser (or web firewall, if SSL decrypting firewall is used) support for Public Key Pinning Extension for HTTP (HPKP) and HTTP Strict Transport Security (HSTS).

About Public key pinning and HPKP

Public key pinning and Public Key Pinning Extension for HTTP (HPKP) sections of Public-Key-Pins calculator page briefly describe these technologies, how they work and how they make HTTPS/SSL/TLS connections more secure.

Deprecation

HPKP has been removed in Chrome 72 and Firefox 72.

On Firefox 72 - 77 it was possible to re-enable HPKP by manually setting security.cert_pinning.hpkp.enabled about:config setting to true. In Firefox 78 HPKP has been completely removed (security.cert_pinning.hpkp.enabled has no effect on Firefox 78 and later).

Browser compatibility test

Automatic test results for browser visiting this page:

Feature	Support
Public Key Pinning Extension for HTTP (HPKP)	👁 Image
HTTP Strict Transport Security (HSTS)	👁 Image

More precise manual testing

Public Key Pinning Extension for HTTP test page will open page only upon failure or will show non-bypassable browser error (stating that verification of certificate hash has failed) upon success. This test works by opening a page on subdomain whose certificate public key is not pinned via Public-Key-Pins HTTP header sent by this page.

HTTP Strict Transport Security (HSTS) test page will open page showing whether browser side redirection from HTTP to HTTPS has happened. This page works by using two different HTML files - success message available via HTTPS and failure message available via HTTP - and linking to failure message.

HTTP Strict Transport Security (HSTS) No User Recourse test page will show non-bypassable browser error (about invalid certificate) upon success or will display regular/bypassable browser error upon failure. This test works by opening a page on subdomain whose certificate is considered invalid (with mismatched name), but has correctly pinned public key (actually certificate of this site).

Direct test links

These links can be used to detect browser bugs in Public Key Pinning Extension for HTTP and HTTP Strict Transport Security (HSTS) implementations in specific conditions (e.g. when address is typed after re-opening browser, added to favorites, set as homepage, opened by restoring session etc.). These addresses can be used only after visiting https://projects.dm.id.lv/. Upon success both of these addresses will show non-bypassable browser errors.

https://pkptest.projects.dm.id.lv/ is direct address of Public Key Pinning Extension for HTTP test page. It will open page only upon failure or it will show non-bypassable browser error (stating that verification of certificate hash has failed) upon success.

http://hststest.projects.dm.id.lv/ (please note "http://" without "s") is direct address of HTTP Strict Transport Security (HSTS) (including No User Recourse) test page. It will open page (or bypassable error/warning) only upon failure or it will show non-bypassable browser error (about invalid certificate) upon success. This address tests HSTS and HSTS No User Recourse, so bypassable error/warning means that only No User Recourse is not supported.

Test results for some well known browsers

This table shows test results for some popular web browsers (two results marked with * are not test results, but data taken from documentation):

Browser	Platform	HPKP supported	HSTS supported	HSTS No User Recourse
Firefox 78.0.1 with `security.cert_pinning.hpkp.enabled` enabled *	Windows/Linux/MacOS/Android/iOS	No	Yes	Yes
Firefox 78.0.1 with `security.cert_pinning.hpkp.enabled` enabled	Windows 8.1	No	Yes	Yes
Firefox 75.0 with `security.cert_pinning.hpkp.enabled` enabled	Windows 8.1	Yes	Yes	Yes
Chrome 72.0 *	Windows/Linux/MacOS/Android/iOS	No	Yes	Yes
Firefox 72.0 *	Windows/Linux/MacOS/Android/iOS	No	Yes	Yes
Chrome 35.0.1916.153 m	Windows 7	Yes	Yes	Yes
Firefox 35.0	Windows 7	Yes	Yes	Yes
Firefox 34.0	Windows 7	No	Yes	Yes
Opera 23.0.1522.60	Windows 7	Partially (bypassable error)	Yes	No
Internet Explorer 11.0.38 (11.0.9600.18538)	Windows 8.1	No	Yes	Yes
Internet Explorer 11.0.38 (11.0.9600.18537)	Windows 7	No	Yes	Yes
Internet Explorer 11.0.8 (11.0.9600.16663)	Windows 8.1	No	No	No
Chrome 35.0.1916.153	MacOS 10.9	Yes	Yes	Yes
Firefox 35.0	MacOS 10.10.1	Yes	Yes	Yes
Firefox 33.0.3	MacOS 10.10.1	No	Yes	Yes
Safari 7.0.3 (9537.75.14)	MacOS 10.9	No	Yes	Yes
Chrome 35.0.1916.153	Linux (Debian 7.5)	Yes	Yes	Yes
Firefox 35.0	Linux (Debian 7.8)	Yes	Yes	Yes
Firefox 34.0	Linux (Debian 7.8)	No	Yes	Yes
Iceweasel 31.4.0	Linux (Debian 7.8)	No	Yes	Yes
Opera 12.16 (build 1860)	Linux (Debian 7.5)	No	Yes	Yes
Chrome 38.0.2125.114	Android (CM11)	Yes	Yes	Yes
Chrome 37.0.2062.117	Android (CM11)	No	Yes	Yes
Firefox 35.0	Android (CM11)	Yes	Yes	Yes
Firefox 34.0	Android (CM11)	No	Yes	Yes
Opera Classic 12.10.ADR-1309251116	Android (CM11)	No	Yes	Yes
Android 4.4.4 built-in browser	Android (CM11 M12)	No	Yes	No
Chrome 39.0.2171.50	iPhone 5 (iOS 7.1.2)	Yes	Yes	Yes
Chrome 35.0.1916.41	iPhone 5 (iOS 7.1.1)	No	Yes	Yes
iOS 8.1.1 Safari	iPhone 5 (iOS 8.1.1 (12B435))	No	Yes	Yes
iOS 7.1.1 Safari	iPhone 5 (iOS 7.1.1 (11D201))	No	Yes	Yes
Atomic Web 7.0.1	iPhone 5 (iOS 7.1.1)	No	Yes	Yes

Related browser security tests

Here are links to some third party browser SSL/TLS tests. They can be used to test other security features of web browser.

https://www.ssllabs.com/ssltest/viewMyClient.html - online browser test which analyzes various SSL/TLS (and related) features.
https://badssl.com/ - various online SSL/TLS browser tests.
https://www.grc.com/revocation.htm - online browser test which checks for acceptance of revoked certificates.

Retrieved from "https://projects.dm.id.lv/w/index.php?title=Public-Key-Pins_test&oldid=538"

Category:

IT Security

URL: https://projects.dm.id.lv/Public-Key-Pins_test