HTTP Public Key Pinning (HPKP) support

rugk

I wonder if you support HPKP. In case not, it would be awesome if you’ll add support.
E.g. Posteo supports it and it can be easily implemented as it is just a HTTP header. However the result is a huge security improvement making MITM attacks much more difficult.

Here more information about HPKP:

rugk

BTW, here is Android’s doc about how to do key pinning in general:
https://developer.android.com/training/articles/security-config.html#CertificatePinning

You could even allow such manual key pinning by letting users enter the cert hash, or, as said, just support HPKP, where this is done automatically.

rfc2822

@rugk The mentioned pinning method is to pin certain certificates which are built in the app. It won’t help in the DAVdroid use case.

rugk

@rfc2822 Hmm, okay… Too bad.

rfc2822

By the way… http://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/

HTTP Public Key Pinning (HPKP) support

Similar topics

HTTPS proxies not supported; sends https:// data unencrypted!
DAVx⁵ • bug • • AutoImport-llebegue

Pre-existing contacts don't get imported into new account
DAVx⁵ • enhancement • • AutoImport-dalb8

Does not work with zimbra
DAVx⁵ • enhancement bug • • AutoImport-roidelapluie

HTTP Public Key Pinning (HPKP) support

Similar topics

HTTPS proxies not supported; sends https:// data unencrypted! DAVx⁵ • bug • • AutoImport-llebegue

Pre-existing contacts don't get imported into new account DAVx⁵ • enhancement • • AutoImport-dalb8

Does not work with zimbra DAVx⁵ • enhancement bug • • AutoImport-roidelapluie

HTTPS proxies not supported; sends https:// data unencrypted!
DAVx⁵ • bug • • AutoImport-llebegue

Pre-existing contacts don't get imported into new account
DAVx⁵ • enhancement • • AutoImport-dalb8

Does not work with zimbra
DAVx⁵ • enhancement bug • • AutoImport-roidelapluie