Certificate Transparency: Expect-CT HTTP-Security-Header

Tue, 23 Oct 2018 09:46:30 +0000

The Certificate Transparency is probably something Hubzilla should/could use?

It is a measure to prevent (or try to prevent) that a third party (man in the middle) could steal and use a certificate from the original server.

Example
Expect-CT: enforce, max-age=21600

I just found it in security blog.

Tue, 23 Oct 2018 09:55:00 +0000

If it doesn't cause any problems feel free to add it. About 1/2 of the security headers seem to break something that we rely on so I've been a bit cautious about adding more. For instance cert pinning sounds great on the surface until you figure out that most of our network uses 3-month LetsEncrypt certs and every three months your browser is going to complain - for every hub that publishes photos.

Tue, 23 Oct 2018 10:36:10 +0000

I question the entire concept of using the SSL cert to prove identity (which is what this is). Certs encrypt the data between the server and client. While it is A place where identity verification can be injected, I'm not sure it is the BEST place for it (not that I have another proposal, I just do the understand the double duty).