0

My Apache https server has returned the following header as a response for a request to https://lab20.example.com:

Public-Key-Pins:pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains

Those pins are for purpose invalid - but still google chrome 52 allows to connect to my labs. It looks like HPKP is not working. I have also tested: chrome://net-internals/#hsts - and after querying lab20.example.com indeed i see HSTS (confirmed working fine) but not HPKP - i do not see any dynamic_spki_hashes. Why ?

Do i need to activate something in chrome in order to be able to understand and process HPKP headers ?

Thanks,

user2913139
  • 557
  • 2
  • 5
  • 13

2 Answers2

0

The header will ONLY be accepted if it's valid and then used for future visits (within the max-age time).

This is specified in the spec:

The UA MUST note the Pins for a Host if and only if

...snip...

o The TLS connection was authenticated with a certificate chain containing at least one of the SPKI structures indicated by at least one of the given SPKI Fingerprints (see Section 2.6).

This is to stop you accidentally bricking your site and is a GREAT feature to reduce dangers of accidental badly implemented HPKP.

It does however make testing bad HPKP quite difficult. Either manually add the headers using that internals page you cited, get two different certs for your page, or set a valid header at top level (with includesubdomains) and use a different cert for subdomain to test.

Community
  • 1
  • 1
Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • Unfortunately still does not work (tested newest Chrome). I have created a valid sha256 and applied to the config (as per article: https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html). Then received 200 response with this value. After that chrome still does not display it from chrome://net-internals/#hsts - while it display hsts headers correctly - and i could see from the articles it should also display hpkp. Why ? – user2913139 Aug 05 '16 at 12:09
0

OK, found out a reason, i have used my enterprise CA, but:

Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor. A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites. “Data loss prevention” appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning.

user2913139
  • 557
  • 2
  • 5
  • 13
  • Ah yes. A necessary, but big limitation of HPKP. Would break too much of they didn't put this in but at same time massively limits its usefulness for those using proxies or AV software that MITMs connections (either knowingly or unknowingly). – Barry Pollard Aug 05 '16 at 12:28
  • I'm really not a big fan of HPKP to be honest because of this, and because of risk of bricking your site as I've blogged about here: https://www.tunetheweb.com/blog/dangerous-web-security-features/ Risk of getting it wrong seems very high to me (either on setup and in particular in future as things change) compared to reward unless you're a very high profile site with the expertise to manage this. – Barry Pollard Aug 05 '16 at 12:35