It is unbelievable article title as we used to promote HPKP and HSTS since they are introduced. Majority of the websites used HPKP aka Public Key pinning unfortunately faced troubles, including us (which we published as guide), well known sites such as Smashing Magazine, Scott Helme’s website. Most of these websites has published their experience of such bad incidence to warn the others. HPKP protects against rare attack which are not much relevant for the content-driven websites. Here Are Possible Safer Value of HPKP and HSTS For Apache2 and Discussion on And Why You Should Avoid Them on Production Site.
Safer Value of HPKP and HSTS
Major problem is bugs in Chrome. When we enable HPKP, Chrome and Google’s all kind of browsers cache them. If you navigate to chrome://net-internals/#hsts and run query against our domain thecustomizewindows.com, then at present you’ll get these values :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | static_sts_domain: thecustomizewindows.com static_upgrade_mode: FORCE_HTTPS static_sts_include_subdomains: true static_sts_observed: 1533618000 static_pkp_domain: static_pkp_include_subdomains: static_pkp_observed: static_spki_hashes: dynamic_sts_domain: thecustomizewindows.com dynamic_upgrade_mode: FORCE_HTTPS dynamic_sts_include_subdomains: false dynamic_sts_observed: 1534612314.279288 dynamic_sts_expiry: 1621012314.279287 dynamic_pkp_domain: thecustomizewindows.com dynamic_pkp_include_subdomains: false dynamic_pkp_observed: 1534614108.195194 dynamic_pkp_expiry: 1534614138.195194 dynamic_spki_hashes: sha256/SDG5orEv8iX6MNenIAxa8nQFNpROB/6+llsZdXHZNqs=,sha256/i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=,sha256/snqzW9Bwdb/++vjcA36+kbP/qaVMmnB9ckuI3qAkihQ=,sha256/BJKSF/6L2QXz4xK6MVj2RTiyPlFzQx3NcpuxnuqdABk= |
You’ll get such values of sts_expiry with www.smashingmagazine.com too.
---
After our problem, our site thankfully made accessible by extensive help from a partner of GeoTrust by deletion of public key pin values. We our-self applied to remove us from HSTS list, which failed. You can see, after 2 weeks after the incidence, not all values yet flushed. In other words – without their help, we would remain in dark.
Why You Should Avoid HPKP and HSTS
Because their is no reason to advertise you will always use HTTPS. You can always mention CA from DNS record as CAA record.
Minor error in cached value of HPKP, HSTS either out of your technical issue or by CA (for HPKP) may make your site virtually banned by Google.
Of course, you can use very lower value to be in safe side. However, lower value needs to be regularly monitored as lower value may go very high out of trigger by some unknown bug, like ours :
1 2 | dynamic_sts_observed: 1534612314.279288 dynamic_sts_expiry: 1621012314.279287 |
HSTS and HPKP unfortunately linked to browsers with current technology. With subdomains included in HSTS, with error in HPKP, you can not even redirect to your subdomain (like www version for us).
Recommended Safer Values HPKP and HSTS and How to Generate Them For Apache
Settings and basic guide can be found on our older guides to setup HPKP and HSTS. However, make the value very low and do not include subdomain :
1 2 | Header always set Strict-Transport-Security "max-age=60; includeSubDomains; preload" Header always set Public-Key-Pins 'pin-sha256="add-your-pin"; pin-sha256="add-your-another-pin"; max-age=60;' |
Notice the line for adding public key pin, it lacks includeSubDomains :
1 | Header always set Public-Key-Pins 'pin-sha256="add-your-pin"; pin-sha256="add-your-another-pin"; max-age=5184000; includeSubDomains' |
However, includeSubDomains may get inherited from HSTS value.
In our old guide we described how to generate the pin-sha256 value – Enable HTTP Public Key Pinning (HPKP) Nginx With report-uri. Essentially, you’ll run a longer command on CSR:
1 | openssl req -inform pem -pubkey -noout < www.thecustomizewindows.com.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64 |
In the same way, OCSP Stapling may throw error.
Conclusion
We do not recommend to use HPKP, HSTS and probably also not OCSP Stapling for production sites. A domain may face less visitors out of odd unknown errors. Worst chance is getting unusable domain out of non-matching pin value. These are not what on our hand to quickly reset. OCSP Must-Staple is another great thing but OCSP Stapling, OCSP Must-Staple needs a good OCSP response which is in hand of CA – not you.
Tagged With hsts recommended value , hsts static_spki_hashes , recommended hsts value