Public-Key-Pins test

From Projects by Davis Mosenkovs
Jump to: navigation, search

This page allows online testing of browser (or web firewall, if SSL decrypting firewall is used) support for Public Key Pinning Extension for HTTP (HPKP) and HTTP Strict Transport Security (HSTS).

About Public key pinning and HPKP

Public key pinning and Public Key Pinning Extension for HTTP (HPKP) sections of Public-Key-Pins calculator page briefly describe these technologies, how they work and how they make HTTPS/SSL/TLS connections more secure.

Browser compatibility test

Automatic test results for browser visiting this page:

Feature Support
Public Key Pinning Extension for HTTP (HPKP)
HTTP Strict Transport Security (HSTS)

More precise manual testing

  • Public Key Pinning Extension for HTTP test page will open page only upon failure or will show non-bypassable browser error (stating that verification of certificate hash has failed) upon success. This test works by opening a page on subdomain whose certificate public key is not pinned via Public-Key-Pins HTTP header sent by this page.
  • HTTP Strict Transport Security (HSTS) test page will open page showing whether browser side redirection from HTTP to HTTPS has happened. This page works by using two different HTML files - success message available via HTTPS and failure message available via HTTP - and linking to failure message.

Direct test links

These links can be used to detect browser bugs in Public Key Pinning Extension for HTTP and HTTP Strict Transport Security (HSTS) implementations in specific conditions (e.g. when address is typed after re-opening browser, added to favorites, set as homepage, opened by restoring session etc.). These addresses can be used only after visiting https://projects.dm.id.lv/. Upon success both of these addresses will show non-bypassable browser errors.

  • http://hststest.projects.dm.id.lv/ (please note "http://" without "s") is direct address of HTTP Strict Transport Security (HSTS) (including No User Recourse) test page. It will open page (or bypassable error/warning) only upon failure or it will show non-bypassable browser error (about invalid certificate) upon success. This address tests HSTS and HSTS No User Recourse, so bypassable error/warning means that only No User Recourse is not supported.

Test results for some well known browsers

This table shows test results for some popular web browsers:

Browser Platform HPKP supported HSTS supported HSTS No User Recourse
Chrome 35.0.1916.153 m Windows 7 Yes Yes Yes
Firefox 35.0 Windows 7 Yes Yes Yes
Firefox 34.0 Windows 7 No Yes Yes
Opera 23.0.1522.60 Windows 7 Partially
(bypassable error)
Yes No
Internet Explorer 11.0.38 (11.0.9600.18538) Windows 8.1 No Yes Yes
Internet Explorer 11.0.38 (11.0.9600.18537) Windows 7 No Yes Yes
Internet Explorer 11.0.8 (11.0.9600.16663) Windows 8.1 No No No
Chrome 35.0.1916.153 MacOS 10.9 Yes Yes Yes
Firefox 35.0 MacOS 10.10.1 Yes Yes Yes
Firefox 33.0.3 MacOS 10.10.1 No Yes Yes
Safari 7.0.3 (9537.75.14) MacOS 10.9 No Yes Yes
Chrome 35.0.1916.153 Linux (Debian 7.5) Yes Yes Yes
Firefox 35.0 Linux (Debian 7.8) Yes Yes Yes
Firefox 34.0 Linux (Debian 7.8) No Yes Yes
Iceweasel 31.4.0 Linux (Debian 7.8) No Yes Yes
Opera 12.16 (build 1860) Linux (Debian 7.5) No Yes Yes
Chrome 38.0.2125.114 Android (CM11) Yes Yes Yes
Chrome 37.0.2062.117 Android (CM11) No Yes Yes
Firefox 35.0 Android (CM11) Yes Yes Yes
Firefox 34.0 Android (CM11) No Yes Yes
Opera Classic 12.10.ADR-1309251116 Android (CM11) No Yes Yes
Android 4.4.4 built-in browser Android (CM11 M12) No Yes No
Chrome 39.0.2171.50 iPhone 5 (iOS 7.1.2) Yes Yes Yes
Chrome 35.0.1916.41 iPhone 5 (iOS 7.1.1) No Yes Yes
iOS 8.1.1 Safari iPhone 5 (iOS 8.1.1 (12B435)) No Yes Yes
iOS 7.1.1 Safari iPhone 5 (iOS 7.1.1 (11D201)) No Yes Yes
Atomic Web 7.0.1 iPhone 5 (iOS 7.1.1) No Yes Yes

Related browser security tests

Here are links to some third party browser SSL/TLS tests. They can be used to test other security features of web browser.