It is unbelievable article title as we used to promote HPKP and HSTS since they are introduced. Majority of the websites used HPKP aka Public Key pinning unfortunately faced troubles, including us (which we published as guide), well known sites such as Smashing Magazine, Scott Helme’s website. Most of these websites has published their experience of such bad incidence to warn the others. HPKP protects against rare attack which are not much relevant for the content-driven websites. Here Are Possible Safer Value of HPKP and HSTS For Apache2 and Discussion on And Why You Should Avoid Them on Production Site.
Safer Value of HPKP and HSTS
Major problem is bugs in Chrome. When we enable HPKP, Chrome and Google’s all kind of browsers cache them. If you navigate to
chrome://net-internals/#hsts and run query against our domain
thecustomizewindows.com, then at present you’ll get these values :
You’ll get such values of
After our problem, our site thankfully made accessible by extensive help from a partner of GeoTrust by deletion of public key pin values. We our-self applied to remove us from HSTS list, which failed. You can see, after 2 weeks after the incidence, not all values yet flushed. In other words – without their help, we would remain in dark.
Why You Should Avoid HPKP and HSTS
Because their is no reason to advertise you will always use HTTPS. You can always mention CA from DNS record as CAA record.
Minor error in cached value of HPKP, HSTS either out of your technical issue or by CA (for HPKP) may make your site virtually banned by Google.
Of course, you can use very lower value to be in safe side. However, lower value needs to be regularly monitored as lower value may go very high out of trigger by some unknown bug, like ours :
HSTS and HPKP unfortunately linked to browsers with current technology. With subdomains included in HSTS, with error in HPKP, you can not even redirect to your subdomain (like www version for us).
Recommended Safer Values HPKP and HSTS and How to Generate Them For Apache
Settings and basic guide can be found on our older guides to setup HPKP and HSTS. However, make the value very low and do not include subdomain :
Header always set Strict-Transport-Security "max-age=60; includeSubDomains; preload"
Header always set Public-Key-Pins 'pin-sha256="add-your-pin"; pin-sha256="add-your-another-pin"; max-age=60;'
Notice the line for adding public key pin, it lacks
Header always set Public-Key-Pins 'pin-sha256="add-your-pin"; pin-sha256="add-your-another-pin"; max-age=5184000; includeSubDomains'
includeSubDomains may get inherited from HSTS value.
In our old guide we described how to generate the
pin-sha256 value – Enable HTTP Public Key Pinning (HPKP) Nginx With report-uri. Essentially, you’ll run a longer command on CSR:
openssl req -inform pem -pubkey -noout < www.thecustomizewindows.com.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
In the same way, OCSP Stapling may throw error.
We do not recommend to use HPKP, HSTS and probably also not OCSP Stapling for production sites. A domain may face less visitors out of odd unknown errors. Worst chance is getting unusable domain out of non-matching pin value. These are not what on our hand to quickly reset. OCSP Must-Staple is another great thing but OCSP Stapling, OCSP Must-Staple needs a good OCSP response which is in hand of CA – not you.