• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » Public Key Pinning Support Nginx Ubuntu Cloud Server

By Abhishek Ghosh December 30, 2014 1:07 pm Updated on December 30, 2014

Public Key Pinning Support Nginx Ubuntu Cloud Server

Advertisement

Here is a guide for enabling Public Key Pinning Support Nginx Ubuntu Cloud Server, which is essentially an advanced step for HSTS setup. We have discussed about HSTS for Nginx, Online Certificate Status Protocol (OSCP) and OCSP stapling and this article on Public Key Pinning is one level up.

 

Public Key Pinning Support Nginx Ubuntu Cloud Server : Basics

 

Public Key Pinning Extension for HTTP is described here by Google Inc. (October 5, 2014) as draft at the time of publication of this article :

Vim
1
https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21

As written on the draft as an abstract – a new HTTP header that allows web host operators to instruct user agents to remember (“pin”) the hosts’ cryptographic identities over a period of time. During that time, UAs will require that the host presents a certificate chain including at least one Subject Public Key Info structure whose fingerprint matches one of the pinned fingerprints for that host. By effectively reducing the number of trusted authorities who can authenticate the domain during the lifetime of the pin, pinning may reduce the incidence of man-in-the-middle attacks due to compromised Certification Authorities.

Advertisement

---

This is important for possible vulnerabilities added for running Governmental Spyware activities. Certification Authorities will be the next target of NSA for sure. It is very important for Cloud Servers as they are multi tenant in nature. nginx with NAXSI is too secure to hack, yet, if the HSTS is compromised via compromised Certification Authorities, our servers will be too tweak for the port 80.

Public-Key-Pinning-Support-Nginx

 

Public Key Pinning Support Nginx Ubuntu Cloud Server : Steps

 

What we do to check return of a HSTS domain? we run cURL with grep :

Vim
1
curl -I -s https://thecustomizewindows.com | grep "Strict"

We will get the output :

Vim
1
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Now run this :

Vim
1
curl -I -s https://raymii.org | grep "Public-Key-Pins"

We will get the output :

Vim
1
Public-Key-Pins: pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains

How to get it? Most importantly, how to safe guard? The safest way to pin TLS certificate™s public key is to include the pin of a second public key. This RSA key should in no way be related to your first key, just generate a new one.

In other words, we have two SSL certificates, both from GeoTrust. One is for only the bare domain and another is both for www.thecustomizewindows.com and thecustomizewindows.com. This is not a mistake! We have two front end servers to handle www – only the redirections. In case our main server’s cert gets compromised, we can use the second one! We have a bash script handy to do it! You can use your real Keys in use, but it can be a point of failure and itself can backfire.

Another option is to seat and wait when we will be under attack and revoke. Revoking is not good, but re-issue is good which we said in Generate CSR, Private Key With SHA256 Signature article. The Public Key Pinning is different from the limited preload list based key pinning introduced by Firefox. Steps are simple :

Vim
1
openssl req -inform pem -pubkey -noout < example.com.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

As usually you will not have two different SSL certs, you need to generate a csr file and generate a “backup” pin too :

Vim
1
openssl req -new -newkey rsa:4096 -nodes -sha256 \ -keyout example.com.backup.key -out example.com.backup.csr

We have ready to use two sets of keys!

In case of Nginx, we will add this line in SSL server block :

Vim
1
add_header Public-Key-Pins 'pin-sha256="base64+info1="; pin-sha256="backup+pin+here=="; max-age=15768000; includeSubDomains';

max-age=15768000 is 6 months. You can increase it to match with your SSL cert’s expiration time. Run nginx -t and then service nginx restart to test on SSL Labs.

This Article Has Been Shared 510 Times!

Facebook Twitter Pinterest

Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to Public Key Pinning Support Nginx Ubuntu Cloud Server

  • Cloud Computing, Virtualization and WebHosting Magazine – Announcement

    Cloud Computing, Virtualization and WebHosting Magazine, available as print version and online edition will be published by The Customize Windows Media Group.

  • Cloud Software Solutions for Cloud Hosting

    Cloud Software Solutions are available from various third party software companies for better management of your application or website hosted on the Cloud.

  • How the Business of Mobile Data Traffic Will Evolve?

    How the business of mobile data traffic will evolve? The use of data has increased dramatically and more traffic is generated by applications and services.

  • Checklist Secure Cloud Computing : Part 2

    Checklist for secure Cloud Computing is the continuation of previous article which addresses preliminary issues for many available Cloud solutions.

  • What is Red Hat OpenShift : Explained in Details

    What is Red Hat OpenShift? Red Hat OpenShift is a Platform as a Service which has a free usage tier,its a hosting service like your beloved paid shared hosting.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (24.3K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • Four Foolproof Tips To Never Run Out Of Blog Ideas For Your Website March 28, 2023
  • The Interactive Entertainment Serving as a Tech Proving Ground March 28, 2023
  • Is it Good to Run Apache Web server and MySQL Database on Separate Cloud Servers? March 27, 2023
  • Advantages of Cloud Server Over Dedicated Server for Hosting WordPress March 26, 2023
  • Get Audiophile-Grade Music on Your Smartphone March 25, 2023

About This Article

Cite this article as: Abhishek Ghosh, "Public Key Pinning Support Nginx Ubuntu Cloud Server," in The Customize Windows, December 30, 2014, March 29, 2023, https://thecustomizewindows.com/2014/12/public-key-pinning-support-nginx-ubuntu-cloud-server/.

Source:The Customize Windows, JiMA.in

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2023 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT