How to diffuse Public Key Pinning (HPKP)?

7php · January 16, 2019, 11:59am

Hi,
this is not necessarily linked to letsencrypt, but I am using it on one of my domain and I believe this community can be very helpful to help with this question.

So I have this domain that uses letsencrypt and has Public Key Pinning (HPKP) implemented as part of strengthening the SSL strength. I did that only to have a perfect score on ssl-labs…etc

Now I want to remove that HPKP as I find it too risky in terms of handling over to another IT guy…etc And above all, not really see real value from it.

So my question is: How can I properly diffuse HPKP on that domain?

JuergenAuer · January 16, 2019, 12:06pm

Hi @7php

remove the “Public-Key-Pins” - header and wait the “max-age” value.

Then it’s done.

7php · January 16, 2019, 1:49pm

@JuergenAuer but if I remove it, the site will not be accessible until the max-age is expired?

(The max-age is of 1 month length.)

Thought, I could reduce the max-age to like 1 day, and then after that I remove the header? waiting one day is OKish…

rg305 · January 16, 2019, 1:57pm

The header is cached by the client.
There is no way to update all the clients to the new 1 day value - until after they have revisited your site.
But there is now way to know which or how many clients have updated or not yet updated the date.
So in effect, you will have to wait until after the furthest date ever given out to be sure that all clients have expired that date.

JuergenAuer · January 16, 2019, 2:58pm

Why that? If you don’t change your certificate, so the clients find a valide pin, you can remove the header.

This is wrong. Clients may cache the header and come back 14 days later.

You shouldn’t send the header if you don’t want to use HPKP.

Remove the header, then wait one month without changing your certificate.

Then you can change your certificate.

But you have to wait one month. And you shouldn’t add the next month by sending the header again.

7php · January 17, 2019, 8:00am

Hi again @JuergenAuer, thank you for the precise reply. I think it is clear for me now. I will try that and give an update.
cheers

7php · January 17, 2019, 8:02am

Hi @rg305, thank you for the reply.
Can please tell me how I can do that?

tdelmas · January 17, 2019, 11:46am

He means “there is no way”.

rg305 · January 17, 2019, 6:35pm

Sorry that was a TYPO (now = no).

In short, you can “turn it off” at any time.
But you can’t be 100% completely “done with it” until after the furthest date ever given out.

JuergenAuer · January 17, 2019, 7:05pm

PS: Google has removed the HPKP completely from Chrome. So it has no longer an effect.

FireFox doesn’t use it as critical, so it’s the same: No effect.

Google: Since Chrome 67:

Deprecate support for public key pinning (PKP) in Chrome, and then remove it entirely.

https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ

tdelmas · January 17, 2019, 7:10pm

What do you mean? If you mean it’s a bypassable error, it’s still an error.

JuergenAuer · January 17, 2019, 7:15pm

2017-01 or 2017-02, I’ve changed my certificate (RapidSSL to a new RapidSSL, but not from Symantec - Google-Symantec problem).

Testet it -> blocked in FF because of wrong pins. Added the new hash, one month later it worked.

This year, I switched to LE-certificates, checked it again. No blocking, only an information in the console.

7php · January 18, 2019, 10:37am

ok thank you, no problem

system · February 17, 2019, 10:37am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.