Pin Patrol: list Firefox HSTS and HPKP log
Pin Patrol is a free browser extension for the Firefox web browser that lists the HSTS and HPKP log the browser maintains.
We talked about HTTP Strict Transport (HSTS) and HTTP Public Key Pinning (HPKP) before here on Ghacks.
The two security features that are part of Firefox improve how Firefox handles secure connections. Without going into too many details. HSTS blocks insecure connections to sites if a web server instructed Firefox on first connect to do so.
HPKP on the other hand has been designed to block impersonation attacks by only accepting a list of public keys that the web server provided on first connect.
Both methods have in common that they require an initial connect to a server, and that they keep the information stored in a log file on the local system.
Sites may use the features to track users.
Pin Patrol
Pin Patrol is a free browser add-on for Firefox that lists all domains that Firefox has stored HSTS or HPKP information for.
While you may access the information manually as well, by opening the file SiteSecurityServiceState.txt located in the main Firefox profile folder, it presents the list in a readable format directly in the browser.
Granted, if you just need to check the contents from time to time, you may not need the add-on for that. Also, if you delete all browsing data regularly, there is little need to pay close attention to it.
Pin Patrol lists all HSTS and HPKP domains known to Firefox in a table format when you click on the extension icon.
The main benefit of using the extension, apart from being able to display the data directly in Firefox, is that it displays it in a readable format.
Information provided include the full domain name, whether HSTS or HPKP are stored, a score, data, expiration time, security property information, subdomain and HPKP pins.
The score is a value set by Firefox which increases by one for every 24 hour period the domain is visited.
The extension lists a search at the top that you may use to find specific information. Unfortunately, Pin Patrol does not offer any options to delete entries right from within the extension's interface.
Closing Words
Pin Patrol makes Firefox's HSTS and HPKP logs accessible in the browser. That's handy for a quick check of the log, or making sure that a web server delivers correct information.
Any “‘improvement”‘ that reLIEs on third party servers is useless or potentially malware.
Any “‘improvement”‘ from Mozilla CORPORATION will send unsolicited pings to tracking servers.
I tried this the other week – it finds nothing, zip, nada, zilch, zero – EVER. The SiteSecurityServiceState.txt file in my profile is blanked and set to read only. Not saying this is recommended, and I’m not an expert. But I did a lot of testing of this in the ghacks user.js comments, and can almost say that regardless of the txt file, you can still be tracked. Clearing site permissions (via the interface) wipes them, but they are not stored in moz_perms (manually clearing the tables does nothing). Closing all private windows clears the private window set, closing FF does the same. I wish someone from Mozilla would ELI5 exactly where and how this is gathered and stored and used for tracking online.
Not just FF is involved. There is a SiteSecurityServiceState.txt file in my Thunderbird folder. No idea if Pin Patrol looks for this one, but the txt file looks to be the same format.