Analysing HSTS and HPKP implementation in both browsers and servers

Analysing HSTS and HPKP implementation in both browsers and servers

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for £75.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP) are two protocols aimed to enforce HTTPS connections and allow certificate pinning over HTTP. The combination of these recent protocols improves and strengthens HTTPS security in general, adding an additional layer of trust and verification. In addition, they help ensure that the connection is always ciphered and correctly authenticated. However, during the process of adoption and implementation of any protocol that is not yet completely settled, the possibility of introducing new weaknesses, opportunities or attack scenarios arises. Even when these protocols are implemented, bad practices prevent them from actually providing the additional security they are expected to provide. In this study, the authors review not just the quantity but the quality (according to several criteria) of the implementation in both servers and most popular browsers and report on some possible attack scenarios that the authors have discovered.


    1. 1)
      • 1. Rizzo, J., Duong, T.: ‘BEAST’. Ekoparty, Buenos Aires, Argentina, September 2011.
    2. 2)
      • 2. Möller, B., Duong, T., Kotowicz, K.: ‘This POODLE bites: exploiting the SSL 3.0 fallback’ (2014). Available at:
    3. 3)
      • 3. Rizzo, J., Duong, T.: ‘The CRIME attack’. Ekoparty, Buenos Aires, Argentina, September 2012.
    4. 4)
      • 4. Codenomicon: ‘The heartbleed bug’. ekoparty, Buenos Aires, Argentina, September 2014.
    5. 5)
      • 5. Bhargavan, K., Delignat-Lavaud, A., Fournet, C., et al: ‘Triple handshakes and cookie cutters: breaking and fixing authentication over TLS’. IEEE Symp. Security and Privacy, San Jose, California, May 2014.
    6. 6)
      • 6. Jia, Y., Chen, Y., Dong, X., et al: ‘Man-in-the-browser-cache: persisting HTTPS attacks via browser cache poisoning’, Comput. Secur., 2015, 55, pp. 6280.
    7. 7)
      • 7. Marlinspike, M.: ‘New tricks for defeating SSL in practice’. BlackHat (2009). Availabe at:
    8. 8)
      • 8. Paul, I.: ‘Firefox add-on firesheep brings hacking to the masses’. PCWorld (2010).
    9. 9)
      • 9. Mandalia, R.: ‘Security breach in CA networks-comodo, digiNotar, globalSign’. ISC2 Blog (2012). Availabe at:
    10. 10)
      • 10. Langley, A.: ‘Maintaining digital certificate security. Google Security Blog’ (2014). Availabe at:
    11. 11)
      • 11. Langley, A.: ‘Further improving digital certificate security. Google Security Blog’ (2013). Availabe at:
    12. 12)
      • 12. Hoffman, P.: ‘The DNS-based authentication of named entities (DANE). Transport Layer Security (TLS) Protocol: TLSA’. Available at:
    13. 13)
      • 13. Marlinspike, M., Perrin, T.: ‘Tacks’. Available at:
    14. 14)
      • 14. Wendlandt, D., Andersen, D., Perrig, A.: ‘Perspectives: improving SSH-style host authentication with multi-path probing (2008)’. Available at:
    15. 15)
      • 15. Loesch, C.: ‘Certificate patrol’. Available at:
    16. 16)
      • 16. Soghoian, C., Stamm, S.: ‘Certified lies: detecting and defeating government interception attacks against SSL’. 15th Int. Conf. Financial Cryptography and Data Security, Gros Islet, St. Lucia, 28 February – 4 March 2011.
    17. 17)
      • 17. Engert, K.: ‘Conspiracy. An add-on for Mozilla Firefox to give additional information when visiting secured sites (2010)’. Available at:
    18. 18)
      • 18. Marlinspike, M.: ‘Convergence (2011)’. Available at:
    19. 19)
      • 19. Holz, R., Riedmaier, T., Kammenhuber, N., et al: ‘X.509 forensics: detecting and localising the SSL/TLS men-in-the-middle’. ESORICS, Pisa, Italy, September 2012, vol. 7459, pp. 217234. Available at:
    20. 20)
      • 20. Garron, L., Bortz, A., Boneh, D.: ‘The state of HSTS deployment: a survey and common pitfalls(2014).
    21. 21)
      • 21. Kranch, M., Bonneau, J.: ‘Upgrading HTTPS in mid-air: an empirical study of strict transport security and key pinning’. Network and Distributed System Security Symposium (NDSS)’, San Diego, California, February 2015.
    22. 22)
      • 22. Selvi, J.: ‘Bypassing HTTP strict transport securityBlackHat Europe, 2014.
    23. 23)
      • 23. Yan: ‘Weird new tricks for browser fingerprinting(2015). Available at:
    24. 24)
      • 24. Nishimura, M.: ‘Appended period to hostnames can bypass HPKP and HSTS protections’. Available at:
    25. 25)
      • 25. IETF: IETF. Available at:
    26. 26)
      • 26. Internet Engineering Task Force (IETF): ‘HTTP strict transport security (HSTS)’. RFC 6797 (2012). Available at:
    27. 27)
      • 27. Internet Engineering Task Force (IETF): ‘Public key pinning extension for HTTP’. RFC 7469 (2015). Available at:
    28. 28)
      • 28. Deveria, A.: ‘Can I use strict transport security?’ (2016). Available at:
    29. 29)
      • 29. Monica: ‘Firefox 32 supports public key pinning’ (2014). Available at:
    30. 30)
      • 30. Bugzilla: [email protected]’ (2014). Available at:
    31. 31)
      • 31. Mozilla: ‘Mozilla Code’ (2014). Available at:
    32. 32)
      • 32. ElevenPaths: ‘PinPatrol’. Available at:
    33. 33)
      • 33. Deveria, A.: ‘Can I use public key Pinning(2015). Available at:
    34. 34)
      • 34. Deveria, A.: ‘Can I use HSTS?(2015). Available at:

Related content

This is a required field
Please enter a valid email address