How to diffuse Public Key Pinning (HPKP)?


#1

Hi,
this is not necessarily linked to letsencrypt, but I am using it on one of my domain and I believe this community can be very helpful to help with this question.

So I have this domain that uses letsencrypt and has Public Key Pinning (HPKP) implemented as part of strengthening the SSL strength. I did that only to have a perfect score on ssl-labs…etc

Now I want to remove that HPKP as I find it too risky in terms of handling over to another IT guy…etc And above all, not really see real value from it.

So my question is: How can I properly diffuse HPKP on that domain?


#2

Hi @7php

remove the “Public-Key-Pins” - header and wait the “max-age” value.

Then it’s done.


#3

@JuergenAuer but if I remove it, the site will not be accessible until the max-age is expired?

(The max-age is of 1 month length.)

Thought, I could reduce the max-age to like 1 day, and then after that I remove the header? waiting one day is OKish…


#4

The header is cached by the client.
There is no way to update all the clients to the new 1 day value - until after they have revisited your site.
But there is now way to know which or how many clients have updated or not yet updated the date.
So in effect, you will have to wait until after the furthest date ever given out to be sure that all clients have expired that date.


#5

Why that? If you don’t change your certificate, so the clients find a valide pin, you can remove the header.

This is wrong. Clients may cache the header and come back 14 days later.

You shouldn’t send the header if you don’t want to use HPKP.


Remove the header, then wait one month without changing your certificate.

Then you can change your certificate.

But you have to wait one month. And you shouldn’t add the next month by sending the header again.


#6

Hi again @JuergenAuer, thank you for the precise reply. I think it is clear for me now. I will try that and give an update.
cheers


#7

Hi @rg305, thank you for the reply.
Can please tell me how I can do that?


#8

He means “there is no way”. :slightly_smiling_face:


#9

Sorry that was a TYPO (now = no).

In short, you can “turn it off” at any time.
But you can’t be 100% completely “done with it” until after the furthest date ever given out.


#10

PS: Google has removed the HPKP completely from Chrome. So it has no longer an effect.

FireFox doesn’t use it as critical, so it’s the same: No effect.

Google: Since Chrome 67:

Deprecate support for public key pinning (PKP) in Chrome, and then remove it entirely.

https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ


#11

What do you mean? If you mean it’s a bypassable error, it’s still an error.


#12

2017-01 or 2017-02, I’ve changed my certificate (RapidSSL to a new RapidSSL, but not from Symantec - Google-Symantec problem).

Testet it -> blocked in FF because of wrong pins. Added the new hash, one month later it worked.

This year, I switched to LE-certificates, checked it again. No blocking, only an information in the console.


#13

ok thank you, no problem :slight_smile:


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.