You support HSTS, but I notice CSP and HPKP headers aren't used yet

<hidden> anonymous
Created: 3 years and 2 months ago • Updated: 3 years and 2 months ago
Hello

I notice HSTS is supported but you're not "baked into chromium or firefox source code yet"

eg. https://code.google.com/p/chromium/codes...

Obviously you're aware of this, as duckduckstart.com is on there, but it's an interesting decision just to use headers.

But CSP and HPKP headers aren't being used. Any plans to implement HPKP to limit MITM?

I know the whole PKI is pretty broken, and HPKP can't stop some forms of MITM, but it would drastically reduce it, and without breaking local proxies, antivrus etc.. where local manually installed CA certs are being used.

It's just in keeping with not being tracked.

So CSP headers are very useful here too. They would cost you more dev time, but they promote best practise, and severely limit side channel attacks from injected code and so on...

Just a thought from a very happy quacker :)

This forum has been archived

Thank you all for the many comments, questions and suggestions. Particular thanks go to user x.15a2 for constantly monitoring, replying and helping so many users here. To continue these discussions, please head over to the DuckDuckGo subreddit.


anonymous
Duckduckstart is not affiliated with DDG.
posted by <hidden> • 3 years and 2 months ago Link
Alphabet_song.ogg
http://news.softpedia.com/news/tor-brows...

Does DDG use hpkp? Tor browser has fixed certificate pinning
posted by Alphabet_song.ogg 2 years and 22 days ago Link