We already have HSTS on our website, but HPKP seems to be the next generation public-key authentication for websites and we have been recommended to deploy it.
This would serve as a mitigation technique against MitM on our website (HPKP is at least TOFU, until we get in the preload list see #9027).
dkg recommends making two backup end-entity keys on an offline machine, and pinning to your active key + these two others.
#7 Updated by intrigeri about 2 years ago
Our website now uses certificates issued by Let's Encrypt. Most Let's Encrypt clients generate a new key upon renewal, which is incompatible with pinning our public key with HPKP. The options we have are thus:
- pin the root CA instead of our own leaf key, as GitHub does
- pros: relatively easy to implement, not too easy to get it wrong
- cons: does not protect against compromise of the Let's Encrypt CA (and any additional root CA we're likely to switch to if we ever have issues with Let's Encrypt, that we should include in the pinning)
- tweak the Let's Encrypt renewal process to reuse the same key, and pin it
- pros: protects against compromise of the Let's Encrypt CA
- cons: renewing the key is tricky, see https://scotthelme.co.uk/setting-up-le/ for hints; it's very easy to get it wrong and lock people out of our website for a long time
My current thinking is that the 2nd option is risky and requires too much work, but the first option seems doable: it could be a good candidate when we create our 2018-2019 sysadmin roadmap.
In any case, additional offline backup keys are a must.
#9 Updated by sajolida over 1 year ago
Chrome is discussing the removal of HPKP from Chrome in 2018:
- Target version changed from Tails_3.9 to Tails_3.10.1
The release notes for Chrome are actually hard to find. I found this:
with no sign of removal of HPKP in Chrome 68.
I'll check again in a couple of months.
My understanding is that in the end, HPKP support was removed in Chrome 72. HPKP is currently only supported by Firefox and Opera. All the websites I knew used HKPK in the past have stopped. I think implementing HPKP is not worth the effort anymore and I propose we reject this ticket.
Then we might want to investigate alternate TLS key/certificate hardening options:
- Google now recommends using the Expect-CT header for Certificate Transparency instead. This header allows requiring the browser to refuse connections if the certificate is not in the Certificate Transparency logs. This is currently only supported by Chrome and Opera. It might be worth considering on a separate ticket.
- DNS CAA (#15637)