2

I am absolutely confused about the header Public-Key-Pinning. How do you add it in Apache?

What I did:
Took the public key hash from my domain cert, intermediate cert and the root certs separately and added this to apache, mod_headers is enabled. But ssllabs says "No Chain. Check Backup Pins"

Header always set Public-Key-Pins "pin-sha256=\"Root-SSL-Public-Key\"; pin-sha256=\"Intermediate-SSL-Public-Key\"; pin-sha256=\"Domain-SSL-Public-Key\"; max-age=2592000; includeSubDomains"
Example person
  • 3,198
  • 3
  • 18
  • 45

1 Answers1

3

HPKP is a bad idea. It’s way too easy to brick your site using it and the protection it provides is fairly small given that.

Almost all browsers have dropped support for HPKP because of this.

One of the things the spec includes to mitigate breaking your site is you must have at least one pin that is NOT in your current cert and chain. That is you must have two completely independent pins - one from a backup key/cert/CA so if you lose control of your primary one you can still connect. If you have only pinned your cert, intermediate and root then they are all from the same chain and so do not meet this requirement.

Fix that and it should be accepted by SSLLabs. But honestly why bother given browser support and the risk versus reward profile?

Community
  • 1
  • 1
Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • It pretty much is now that all mainstream browsers have removed support for it. – Barry Pollard Feb 18 '20 at 14:44
  • Google use hard coded HPKP (even more dangerous IMHO - https://www.tunetheweb.com/blog/dangerous-web-security-features/) but Google have smart enough engineers to know how to set this up properly (no offence meant) and also how to manage this properly going forward. They also have a fair bit of sway (especially in their own browser Chrome) to get things fixed if they accidentally break something. – Barry Pollard Feb 18 '20 at 14:49
  • Correct. If the HPKP value has been accepted by the browser - another fail safe is “wrong” values are ignored, but assuming it wasn’t wrong and you’ve just changed your cert then yes it would be blocked until max-age expired. Though some browsers cap max-age (at 60 days I think) again to reduce this risk and also allow you to clear browser cache locally. – Barry Pollard Feb 18 '20 at 14:55
  • Well personally I do not like the preload header for HSTS for same risk versus reward reasons as described in my post. Your CSP header is also pretty weak but that’s a difficult one to get right. Try your site in https://securityheaders.com for latest info on security headers. – Barry Pollard Feb 18 '20 at 15:07