The complexities of HPKP leave many websites exposed

Mar 24, 2016 13:55 GMT  ·  By

A recent market survey has revealed that 0.09% of all HTTPS websites, which is around 4,100 sites, use the HTTP Public Key Pinning (HPKP) header to secure their domain-issued SSL/TLS certificates.

HPKP is an HTTP security extension formally published in April 2015 (RFC 7469). This standard defines a method through which HTTPS website owners can lock down browsers with a list of public keys, and allow the user to access a domain if the server has the matching certificate.

HPKP is useful when attackers have valid certificates issued for your domain

This mechanism is used to protect against attackers running rogue websites spoofing the original site, but using valid certificates that can fool browsers, obtained through illicit means.

There are various ways through which determined attackers can obtain valid certificates. They can do it by social engineering the CA, by exploiting technical flaws, through CA data breaches, or by leveraging weak certificate issuance policies.

HPKP was created to address exactly these situations, when Web services are affected by a certificate authority's lacking procedures.

How HPKP works

When a webmaster sets an HPKP header for his website, users that connect to the domain for the first time will receive a list of public keys that must be used when visiting the domain at later times.

These keys are stored in the user's browser, and when he revisits the same site, before negotiating an HTTPS connection, the browser and the server will verify if they both have the proper public key and server certificate.

If this doesn't happen, the browser will block the user from accessing the site altogether. While this can be a good thing when attackers are trying to fool users into accessing spoofed websites, in the case of a misconfiguration error on a legitimate website, this could prevent users from accessing the site for months at a time.

HPKP misconfigurations can block users from accessing your site

Netcraft, the company that conducted the survey estimates that it's because of this reason, despite its usefulness, that a year after its release, HPKP usage remains low.

Besides the constant maintenance work needed to correctly support HPKP, webmasters must also possess a tightrope acrobat's nerves when walking a thin line that separates security from total business shutdown.

"Even for those webmasters who have set a valid policy, a lot of ongoing care and attention is required: both routine and emergency maintenance poses a significant risk of blocking legitimate visitors, potentially for long periods of time," Netcraft's Paul Mutton explains.

These reasons show why only 4,100 webmasters have decided to support HPKP headers. Unfortunately, Netcraft says that this number is actually 3,000, since around a quarter of these sites have implemented an improper HPKP header.

Implementing HPKP is not overly complex, it's just a lot of hard work

The positive part is that if properly set up, and once webmasters enter a routine, learning to manage the whitelisted certificates and their accompanying client-side keys, HPKP adds the much-needed security which most websites handling sensitive data need.

Some of the most famous services that have already implemented HPKP include GitHub, Mozilla, and Pixabay.

Despite all these, incidents like the Lenovo Superfish and the Dell eDellRoot scandal in which these companies have provided root certificates packed with their products, allow attackers to go around HPKP.

Additionally, any attack that has access to the user's browser can alter a domain's list of trusted public keys, negate HPKP protections, or lock the user out of the legitimate website into the malicious clone.

How HPKP can prevent domain spoofing attacks
How HPKP can prevent domain spoofing attacks

Photo Gallery (2 Images)

Many webmasters fail to implement HPKP
How HPKP can prevent domain spoofing attacks
Open gallery