Web security: HPKP

Third post in the web security series.

So now you are sure your user's web browser made a secure connection to your server, right? Is it really your server? Your browser will trust any certificate for your domain that as been signed by a trusted Certificate Authority. But what happen if a CA get highjacked or one of the trusted CA is owned by a government probably spying on their citizens? The "bad guy" can issue a valid certificate for any domain…

Enters HPKP: HTTP Public Key Pinning. The idea is that your server gives a hash of the public key to the web browser. If somebody manage to fake a CA, the connection will be done with a different key and the browser will detect it.

The HPKP is header is limited in time, so your server tells "this is the key I will use for at least the next XX days". Is your server is compromised and you have to issue a new key, all your visitors knowing the previous key will refuse to connect to your server. Either you prepare a backup key (you can pin multiple keys) or you also add your CA key… trusting your CA won't get compromised either (this decrease the vulnarability from all CAs to your CA).

HPKP is not widely deployed yet, Chrome and Firefox have basic support for it and are working to expand their support of it.

Manually generate the hash for your key

$ openssl pkey -pubout -in test.key | openssl asn1parse -inform pem -noout -out test.pub
$ openssl dgst -sha256 -binary test.pub | openssl enc -base64

This will generate a SHA256 hash of your key that you can put in the HPKP header:

Public-Key-Pins: pin-sha256="kDplvsQv8pNLpb7WI/AFvGpDSz0sH3wxupKz6a0RavQ="; max-age=5184000

Notes:

• A more detailed explanation about how HPKP works
• A tool to generate HPKP headers: