• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » Safer Value of HPKP and HSTS (And Why You Should Avoid)

By Abhishek Ghosh August 18, 2018 5:45 pm Updated on August 18, 2018

Safer Value of HPKP and HSTS (And Why You Should Avoid)

Advertisement

It is unbelievable article title as we used to promote HPKP and HSTS since they are introduced. Majority of the websites used HPKP aka Public Key pinning unfortunately faced troubles, including us (which we published as guide), well known sites such as Smashing Magazine, Scott Helme’s website. Most of these websites has published their experience of such bad incidence to warn the others. HPKP protects against rare attack which are not much relevant for the content-driven websites. Here Are Possible Safer Value of HPKP and HSTS For Apache2 and Discussion on And Why You Should Avoid Them on Production Site.

 

Safer Value of HPKP and HSTS

 

Major problem is bugs in Chrome. When we enable HPKP, Chrome and Google’s all kind of browsers cache them. If you navigate to chrome://net-internals/#hsts and run query against our domain thecustomizewindows.com, then at present you’ll get these values :

Vim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
static_sts_domain: thecustomizewindows.com
static_upgrade_mode: FORCE_HTTPS
static_sts_include_subdomains: true
static_sts_observed: 1533618000
static_pkp_domain:
static_pkp_include_subdomains:
static_pkp_observed:
static_spki_hashes:
dynamic_sts_domain: thecustomizewindows.com
dynamic_upgrade_mode: FORCE_HTTPS
dynamic_sts_include_subdomains: false
dynamic_sts_observed: 1534612314.279288
dynamic_sts_expiry: 1621012314.279287
dynamic_pkp_domain: thecustomizewindows.com
dynamic_pkp_include_subdomains: false
dynamic_pkp_observed: 1534614108.195194
dynamic_pkp_expiry: 1534614138.195194
dynamic_spki_hashes: sha256/SDG5orEv8iX6MNenIAxa8nQFNpROB/6+llsZdXHZNqs=,sha256/i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=,sha256/snqzW9Bwdb/++vjcA36+kbP/qaVMmnB9ckuI3qAkihQ=,sha256/BJKSF/6L2QXz4xK6MVj2RTiyPlFzQx3NcpuxnuqdABk=

You’ll get such values of sts_expiry with www.smashingmagazine.com too.

Advertisement

---

Safer Value of HPKP and HSTS (And Why You Should Avoid)

After our problem, our site thankfully made accessible by extensive help from a partner of GeoTrust by deletion of public key pin values. We our-self applied to remove us from HSTS list, which failed. You can see, after 2 weeks after the incidence, not all values yet flushed. In other words – without their help, we would remain in dark.

 

Why You Should Avoid HPKP and HSTS

 

Because their is no reason to advertise you will always use HTTPS. You can always mention CA from DNS record as CAA record.

Minor error in cached value of HPKP, HSTS either out of your technical issue or by CA (for HPKP) may make your site virtually banned by Google.

Of course, you can use very lower value to be in safe side. However, lower value needs to be regularly monitored as lower value may go very high out of trigger by some unknown bug, like ours :

Vim
1
2
dynamic_sts_observed: 1534612314.279288
dynamic_sts_expiry: 1621012314.279287

HSTS and HPKP unfortunately linked to browsers with current technology. With subdomains included in HSTS, with error in HPKP, you can not even redirect to your subdomain (like www version for us).

 

Recommended Safer Values HPKP and HSTS and How to Generate Them For Apache

 

Settings and basic guide can be found on our older guides to setup HPKP and HSTS. However, make the value very low and do not include subdomain :

Vim
1
2
Header always set Strict-Transport-Security "max-age=60; includeSubDomains; preload"
Header always set Public-Key-Pins 'pin-sha256="add-your-pin"; pin-sha256="add-your-another-pin"; max-age=60;'

Notice the line for adding public key pin, it lacks includeSubDomains :

Vim
1
Header always set Public-Key-Pins 'pin-sha256="add-your-pin"; pin-sha256="add-your-another-pin"; max-age=5184000; includeSubDomains'

However, includeSubDomains may get inherited from HSTS value.

In our old guide we described how to generate the pin-sha256 value – Enable HTTP Public Key Pinning (HPKP) Nginx With report-uri. Essentially, you’ll run a longer command on CSR:

Vim
1
openssl req -inform pem -pubkey -noout < www.thecustomizewindows.com.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

In the same way, OCSP Stapling may throw error.

 

Conclusion

 

We do not recommend to use HPKP, HSTS and probably also not OCSP Stapling for production sites. A domain may face less visitors out of odd unknown errors. Worst chance is getting unusable domain out of non-matching pin value. These are not what on our hand to quickly reset. OCSP Must-Staple is another great thing but OCSP Stapling, OCSP Must-Staple needs a good OCSP response which is in hand of CA – not you.

Tagged With hsts recommended value , hsts static_spki_hashes , recommended hsts value

This Article Has Been Shared 356 Times!

Facebook Twitter Pinterest
Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Orthopaedic Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to Safer Value of HPKP and HSTS (And Why You Should Avoid)

  • Cheap Cloud & Virtual Servers For Running Apache Big Data Tools

    Here Are Some Points For Selecting Correct Servers For Running Apache Big Data Tools. Of Course We Are Talking About So Called Low End Box.

  • Configure Fail2Ban With Mod Security And Other Filters

    Here is How To Configure Fail2Ban With Mod Security & Others On Apache Server To Protect From PHP And Other Exploits. Config Files Included.

  • How To Install TICK Stack on Ubuntu, CentOS For System Metrics Monitoring

    TICK Stands For Telegraf, InfluxDB, Chronograf, Kapacitor. Here is How To Install TICK Stack on Ubuntu, CentOS For System Metrics Monitoring.

  • How to Install Silex : Static Website Builder on Ubuntu Server

    Silex is a F/OSS Static Website Editor Intended to be Accessed via Browser to Host Sites on Cloud Storages. Here is How to Install Silex Static Website Builder on Ubuntu Server.

  • How To Install Apache2 on Ubuntu 18.04 With Let’s Encrypt, HTTP/2, HSTS

    Here is Detailed Guide on How To Install Apache2 on Ubuntu 18.04 With Let’s Encrypt, HTTP/2, HSTS With Commands and Configurations For Most Secured Setup.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

You can subscribe to our Free Once a Day, Regular Newsletter by clicking the subscribe button below.

Click To Subscribe

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (20K Followers)
  • Twitter (4.9k Followers)
  • Facebook (5.8k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.2k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • How To Repack Installed Software on Debian/Ubuntu January 16, 2021
  • Components of Agile Software Development January 15, 2021
  • What is Conway’s Law? January 14, 2021
  • Effects of Digitization on Companies : Part XIII January 13, 2021
  • What is SoftAP Mode? January 12, 2021

 

About This Article

Cite this article as: Abhishek Ghosh, "Safer Value of HPKP and HSTS (And Why You Should Avoid)," in The Customize Windows, August 18, 2018, January 17, 2021, https://thecustomizewindows.com/2018/08/safer-value-of-hpkp-and-hsts-and-why-you-should-avoid/.

Source:The Customize Windows, JiMA.in

 

This website uses cookies. If you do not want to allow us to use cookies and/or non-personalized Ads, kindly clear browser cookies after closing this webpage.

Read Cookie Policy.

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2021 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy