我最近发现在:
chrome://net-internals/#hsts
我可以添加域,从那时起,我只能通过 HTTPS 查看域!这类似于 Firefox 的 HTTPSEverywhere 附加组件,但不需要任何附加组件!
关于这个我有两个问题:
这是根据我的调查得出的部分答案: HSTS 信息以 JSON 格式存储在$PROFILE/TransportSecurity,$PROFILEChrome 在您的系统上存储此类内容的位置。
(这是 Chromium 版本34.0.1847.116 (Developer Build 260972) Ubuntu 13.10。)
该文件似乎缓存了您使用 HTTPS 访问过的每个网站的信息;chrome://net-internals/#hsts您可以通过查找非空 来轻松识别已启用特定公钥指纹的密钥dynamic_spki_hashes。
不幸的是,JSON 对象的键是完全不透明的(至少对我来说):它们是用 base64 编码的 32 字节二进制字符串。这是一个例子:
"xxxx 32 byte base64 encoded string xxxx=": {
"dynamic_spki_hashes": [ "sha1/oMSnRgDtpy3AvsuajLYHyljudF4=" ],
"dynamic_spki_hashes_expiry": 1496120402.263232,
"expiry": 1441256424.39423,
"mode": "force-https",
"pkp_include_subdomains": true,
"pkp_observed": 1409720402.26327,
"static_spki_hashes": [ ],
"sts_include_subdomains": true,
"sts_observed": 1409720424.39423
},
I'm not sure how to save these TransportSecurity files to copy them to another computer or another profile. I did try copying the whole TransportSecurity file to a new profile directory; however, when starting Chrome with that profile it did not appear to recognize the HSTS information in the TransportSecurity file.
Perhaps someone with greater understand of Chrome internals can help us understand how to not only view but also transfer this information.
I think the intent of HSTS is to make it all-but-impossible to override the browser's warning and visit a site with an invalid cert.
That said, if you have some specific really good reason to accept a certificate that Chrome doesn't like, I expect you could override it by adding the public key fingerprint of that cert using chrome://net-internals/#hsts.
| 归档时间: |
|
| 查看次数: |
2696 次 |
| 最近记录: |