• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here:Home » Safer Value of HPKP and HSTS (And Why You Should Avoid)

By Abhishek Ghosh August 18, 2018 5:45 pm Updated on August 18, 2018

Safer Value of HPKP and HSTS (And Why You Should Avoid)

Advertisement

It is unbelievable article title as we used to promote HPKP and HSTS since they are introduced. Majority of the websites used HPKP aka Public Key pinning unfortunately faced troubles, including us (which we published as guide), well known sites such as Smashing Magazine, Scott Helme’s website. Most of these websites has published their experience of such bad incidence to warn the others. HPKP protects against rare attack which are not much relevant for the content-driven websites. Here Are Possible Safer Value of HPKP and HSTS For Apache2 and Discussion on And Why You Should Avoid Them on Production Site.

 

Safer Value of HPKP and HSTS

 

Major problem is bugs in Chrome. When we enable HPKP, Chrome and Google’s all kind of browsers cache them. If you navigate to chrome://net-internals/#hsts and run query against our domain thecustomizewindows.com, then at present you’ll get these values :

Vim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
static_sts_domain: thecustomizewindows.com
static_upgrade_mode: FORCE_HTTPS
static_sts_include_subdomains: true
static_sts_observed: 1533618000
static_pkp_domain:
static_pkp_include_subdomains:
static_pkp_observed:
static_spki_hashes:
dynamic_sts_domain: thecustomizewindows.com
dynamic_upgrade_mode: FORCE_HTTPS
dynamic_sts_include_subdomains: false
dynamic_sts_observed: 1534612314.279288
dynamic_sts_expiry: 1621012314.279287
dynamic_pkp_domain: thecustomizewindows.com
dynamic_pkp_include_subdomains: false
dynamic_pkp_observed: 1534614108.195194
dynamic_pkp_expiry: 1534614138.195194
dynamic_spki_hashes: sha256/SDG5orEv8iX6MNenIAxa8nQFNpROB/6+llsZdXHZNqs=,sha256/i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=,sha256/snqzW9Bwdb/++vjcA36+kbP/qaVMmnB9ckuI3qAkihQ=,sha256/BJKSF/6L2QXz4xK6MVj2RTiyPlFzQx3NcpuxnuqdABk=

You’ll get such values of sts_expiry with www.smashingmagazine.com too.

Advertisement

---

Safer Value of HPKP and HSTS (And Why You Should Avoid)

After our problem, our site thankfully made accessible by extensive help from a partner of GeoTrust by deletion of public key pin values. We our-self applied to remove us from HSTS list, which failed. You can see, after 2 weeks after the incidence, not all values yet flushed. In other words – without their help, we would remain in dark.

 

Why You Should Avoid HPKP and HSTS

 

Because their is no reason to advertise you will always use HTTPS. You can always mention CA from DNS record as CAA record.

Minor error in cached value of HPKP, HSTS either out of your technical issue or by CA (for HPKP) may make your site virtually banned by Google.

Of course, you can use very lower value to be in safe side. However, lower value needs to be regularly monitored as lower value may go very high out of trigger by some unknown bug, like ours :

Vim
1
2
dynamic_sts_observed: 1534612314.279288
dynamic_sts_expiry: 1621012314.279287

HSTS and HPKP unfortunately linked to browsers with current technology. With subdomains included in HSTS, with error in HPKP, you can not even redirect to your subdomain (like www version for us).

 

Recommended Safer Values HPKP and HSTS and How to Generate Them For Apache

 

Settings and basic guide can be found on our older guides to setup HPKP and HSTS. However, make the value very low and do not include subdomain :

Vim
1
2
Header always set Strict-Transport-Security "max-age=60; includeSubDomains; preload"
Header always set Public-Key-Pins 'pin-sha256="add-your-pin"; pin-sha256="add-your-another-pin"; max-age=60;'

Notice the line for adding public key pin, it lacks includeSubDomains :

Vim
1
Header always set Public-Key-Pins 'pin-sha256="add-your-pin"; pin-sha256="add-your-another-pin"; max-age=5184000; includeSubDomains'

However, includeSubDomains may get inherited from HSTS value.

In our old guide we described how to generate the pin-sha256 value – Enable HTTP Public Key Pinning (HPKP) Nginx With report-uri. Essentially, you’ll run a longer command on CSR:

Vim
1
openssl req -inform pem -pubkey -noout < www.thecustomizewindows.com.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

In the same way, OCSP Stapling may throw error.

 

Conclusion

 

We do not recommend to use HPKP, HSTS and probably also not OCSP Stapling for production sites. A domain may face less visitors out of odd unknown errors. Worst chance is getting unusable domain out of non-matching pin value. These are not what on our hand to quickly reset. OCSP Must-Staple is another great thing but OCSP Stapling, OCSP Must-Staple needs a good OCSP response which is in hand of CA – not you.

Tagged With hsts recommended value , hsts static_spki_hashes , recommended hsts value
Facebook Twitter Pinterest

Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to Safer Value of HPKP and HSTS (And Why You Should Avoid)

  • Nginx WordPress Installation Guide (All Steps)

    This is a Full Nginx WordPress Installation Guide With All the Steps, Including Some Optimization and Setup Which is Compatible With WordPress DOT ORG Example Settings For Nginx.

  • Enable HTTP Public Key Pinning (HPKP) Nginx With report-uri

    HPKP is a security feature is to prevent fraud TLS certificates. Here Are the Steps to Enable HTTP Public Key Pinning (HPKP) on Nginx.

  • Fix Nginx OCSP ERROR : OCSP Response Expired

    Here is How to Fix Nginx OCSP ERROR – OCSP Response Expired After Enabling OCSP Stapling on Nginx. Error is Due to Certain Criterion of RFC.

  • OCSP Stapling Nginx : Working Guide to Enable

    Many Users Complain of Not Working OCSP Stapling in Nginx or Facing Chain Error. Here is Working Step by Step Guide on OCSP Stapling Nginx.

performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (24.3K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • What is Desktop Publishing (DTP)?June 3, 2023
  • Dynamic WebP Image Delivery in WordPress with Bunny CDNJune 3, 2023
  • Advantages and Disadvantages of Ubuntu Server DistributionJune 2, 2023
  • Typography on the WebJune 2, 2023
  • How to Use JuliaMono Font in Urvanov/Crayon Syntax HighlighterJune 1, 2023
PC users can consult Corrine Chorney for Security.

Want to know more about us?

Read Notability and Mentions & Our Setup.

Copyright © 2023 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT