Pin Patrol for Chrome

A tool for improving the experience using HSTS and HPKP in Chrome. It shows this information in a human readable way, from your own browser or from any other. It is very easy to use and it can provide useful information about the HSTS and HPKP data stored by your browser or a different one. This is not just a Chrome extension, but a simple forensics tool for interpreting HPKP and HSTS data from any Chrome’s user.

Chrome stores HPKP and HSTS information hashing the domains in a standard format, so there is some “privacy” for the users. The extension also tries to “un-hash” the domains. If there is a domain in your HSTS and HPKP domains repository, it means you have visited it. So it should be in your History files. What this extension does is get to your history of domains visited and hash them. If this hash matches with some of the hashes in HSTS/HPKP, it “translates” it so it is un-hashed. There may be some domains that are not un-hashed. Some reasons:

- Your history has been deleted and the domain is not there, but still in the HSTS/HPKP repository.
- Some visits to some domains with HSTS and HPKP are done “in the background” of a webpage, as part of its APIs, advertising system, etc. And these may not be stored in the History.

Chrome offers an integrated way (chrome://net-internals/#hsts) to view some HSTS/HPKP information, but definitely it is not the best way to watch your domains.

The information provided by the table is the one stored by the browser, “translated” in a more human readable way.

- Domain: domain protected under HSTS or HPKP. It may be hashed.
- Date: when the domain was last visited.
- Expiration Time: max-age of HSTS or HPKP, in other words, when the entry will expire.
- Mode: basically, always force-https.
- IncludeSubdomains: whether the HSTS or HPKP directive includes subdomains.
- HPKP Pins: List of pins in the HPKP. header.
- Report-uri: if the domain is using report-uri to inform about “anomalies”.