2

I was looking at HTTP Strict Transport Security (HSTS) implementation in firefox. Firefox stores this data for sites in a file called SiteSecurityServiceState.txt

I see entries in it like -

support.mozilla.org:HPKP 3 17242 1483383397412,1,0,r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= web.facebook.com:HSTS 18 17227 1504027319798,1,0

HSTS is what I was looking for. It is configured in your webserver to send corresponding header in response header. Browser stores it and makes sure all subsequent requests always go to https and certificate in correct - does not allow to add exception (atleast in firefox).

So whats this HPKP and how does it work? Is it some other security configuration?

Aniket Thakur
  • 945
  • 1
  • 8
  • 11

2 Answers2

6

HSTS and HPKP are different concepts.

An HTTP Strict Transport Security (HSTS) header instructs clients to use HTTPS for all future connections to a website, thereby preventing downgrade attacks. In contrast to HPKP, it doesn't influence how certificates are validated.

An HTTP Public Key Pinning (HPKP) header instructs clients to pin a specific public key to a domain. So, if a HPKP-supporting browser encounters a HPKP header, it will remember the specified public key hashes and associate them with that domain. In the future (until the specified max-age timeout expires), the browser will only accept a certificate for that domain if any key in the certificate's trust chain matches one of the associated hashes.

HPKP mitigates the risk of an attacker issuing rogue certificates after having compromised a certificate authority (occasionally happens). Your browser would normally be unable to detect a fraudulent certificate if it has been correctly signed by a trusted CA. (Although there are mechanisms to detect certificate revocations, e.g. OCSP/CRLs.) But if you have pinned a particular certificate to a website beforehand, the attacker won't be able to replace it without triggering a browser waning.

Note that since HPKP is trust-on-first-use, it will (similar to HSTS) only be effective after your first visit to a website. An exception to that are preload lists maintained by browser vendors for high-profile websites (Google, Facebook, Twitter, etc.). This means that even if DigiCert (Facebook's CA) would be compromised today, an attacker would be unable to intercept your connection to Facebook because the original certificates' public keys are preloaded in your browser.

GypsyCosmonaut
  • 882
  • 1
  • 7
  • 16
Arminius
  • 43,922
  • 13
  • 140
  • 136
  • May I ask why you mention hashes in plural? When we connect to a given site and it present us it's crrtificate is it not containing one public key attached to it? Or do you refer to fingerprints on the cert itself plus any intermediate it might send as well? Could you please clarify? – cyzczy Mar 17 '17 at 17:28
  • @Arminius thanks for the details. Have a q though. Certs as you know they expire. So how come certs for high profile sites are preloaded in the browsers? If that's the case then for each cert expiry browsers have to give out a new release and older versions would never work. But that's not the case. – Aniket Thakur Mar 18 '17 at 05:55
  • @Aniket The expiry dates are stored too. If the certificate's expired, the HPKP won't work. – wizzwizz4 Mar 21 '17 at 18:38
  • @Arminius Great answer but could you please elaborate more on the line "This means that even if DigiCert (Facebook's CA) would be compromised today, an attacker would be unable to intercept your connection to Facebook because the original certificates' public keys are preloaded in your browser" – GypsyCosmonaut May 01 '17 at 19:30
  • 2
    Comment on HPKP in general: don't use it. It's a good way to nuke your site off the Internet for months/years even if _you_ don't screw anything up (but your CA or CDN or hosting provider screws up). It's not a well thought out protocol extension. See https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead – rmalayter May 02 '17 at 01:36
1

It's http public key pinning. It is intended to provide some (but not total) protection against compromised CAs.

https://www.rfc-editor.org/rfc/rfc7469

Community
  • 1
Peter Green
  • 4,918
  • 1
  • 21
  • 26