Public Key Pinning and subdomains

Question

Shortly I have intend to install new webserver and I'd like to secure users a little bit more. I already have domain, (virtual) server and everything else that matters when configuring a server. Basically this one will be used as webserver for personal storage of our family members, so we can share documents with each other independent of our current location. Because they are not very familiar with technology and stuff, I would like to secure the connection a bit more. Alongside web application for file storage I will create some easy website and in the future I think the webserver will also host blog. I decided to structure the website like this:

• storage.domain.tld - for our personal storage
• domain.tld - there will be some easy website (HTML file with CSS and JS files along)
• domain.tld/blog - after some time I think this address will be used for blog

I will use StartSSL to sign my certificate which will be installed on webserver. Because HPKP requires backup certificate, I will also create additional certificate in case of any failure in the future. I think that after some reading I correctly understand how to configure HPKP, but I'm still not sure how to deal with subdomain and what exactly could be a problem if there is misconfigured HPKP header.

So first about subdomains... Most of our family members will just use storage.domain.tld. StartSSL enables signing of certificate for main domain and one subdomain. Will browsers recognize HPKP header on subdomain if I set it only on domain.tld and add includeSubdomains in it? What to do if browsers recognize HPKP header only on the domain you actually visit? I would also like to see some suggestions on this topic, because I'm out of ideas what to do here.

And the second thing about misconfigured HPKP. When I will set up everything, I think to set max-age of HPKP header to something around 60 (1 minute should be enough to test out if HPKP works correctly). After success I think to extend max-age to half year. If I understand correctly the browser just checks if public key in HPKP header is the same as the one of webserver. If there's a match, everything should be OK. So there is no connection to any other service for checking correct settings of HPKP? If I use browser in private mode and I visit my site with misconfigured HPKP, will this problem disappear if I remove HPKP header and visit site again in non-private mode?

I will appreciate all suggestions and comments to my questions. Thank you in advance!

Answer 1

Will browsers recognize HPKP header on subdomain if I set it only on domain.tld and add includeSubdomains in it?

If the user never visits domain.tld and the HPKP header is only send on requests to this domain then the browser will never see the HPKP header. But only after the browser has seen the header it has any effect. Once the browser has seen the header it will also affect the subdomain since you've specified it, but the header will not magically travel to the browser when doing requests for the subdomain only. Thus you should add the header to all affected domains to make sure the browser gets it and gets also the updates.

So there is no connection to any other service for checking correct settings of HPKP?

Correct. HPKP uses only the communication between the browser and the server sending the HPKP header, i.e. your server. Everything is solely under your control. And if you mess it up only you can fix it.

If I use browser in private mode and I visit my site with misconfigured HPKP, will this problem disappear if I remove HPKP header and visit site again in non-private mode?

I have no source for this but I doubt it. HPKP will be either fully shared with the private mode and thus the problems persist there, or no sharing will be done in which case the problem happens not in private mode but still happens in the non-private mode. I don't think that sharing will only be done in one direction and especially not from private mode to non-private mode.

Answer 2

In response to Steffan's answer above but posting as separate answer due to length

It's easy to remove HPKP from your own copy of Chrome by using the chrome://net-internals/#hsts page. Not so much the other browsers.

It's impossible to remove it from everyone else's Chrome unless you can visit reach person (which may be possible in your use case, but kit generally).

IncludeSubDomain is more secure, even if you don't have subdomains, so don't agree it's useless. For example someone could set up fake.domain.tld if they had access to the DNS your site was using and also persuaded you to visit that site then it would have access to the cookies for the domain.tld. Unlikely yes, but so is the use case HPKP gives you protection for (someone manages to create a recognised certificate for your domain and gets you to visit).

Personally I don't think HPKP should be considered for mainstream use, to be honest, as too many downsides and don't think these downsides are being called out enough. Blogged about it here if interested in that as going off topic to the original question.