Venerable net-scan outfit Netcraft has issued what cliché would describe as “a stinging rebuke” to sysadmins the world over, for ignoring HTTP Public Key Pinning (HPKP).
Pinning is designed to defend users against impersonation attacks, in which an attacker tricks a certificate authority to issue a fraudulent certificate for a site.
If the attacker can present a user with a certificate for fubar.com, they can impersonate the site, opening a path for malfeasance like credential harvesting.
HPKP would address – but as Netcraft says here, it only works if sysadmins apply it at the server, and they're not.
“Less than 0.1% of certificates found in Netcraft's March 2016 SSL Survey were served with the HPKP header,” the post says, adding: “Where it has been deployed, a third of webmasters have mistakenly set a broken HPKP policy. With so many mistakes being made, the barrier to entry is evidently high.”
Putting that into numbers, Netcraft says only 3,000 certficates are using HPKP: 4,100 sites in total are serving the public-key-pins header, but a quarter of those are making mistakes with it.
The biggest reason Netcraft gives for sysadmins avoiding the protocol is that while it relieves risk for users, there is a risk for the business using HPKP. Sysadmins have to set a policy lifetime for HPKP – and if the site operator loses the certificate keys, their site will be inaccessible for the whole of that policy lifetime.
The three case studies the post provides illustrate the challenge involved in that trade-off:
- Github uses HPKP, but sets the policy's time-to-live at 300 seconds. That minimises user disruption if Github has a problem, but gives attackers a five-minute window. As a result, if there is an attack, “ anybody who has not visited the real www.github.com within the past five minutes is a potential victim”.
- Mozilla takes more risk: its support site has a policy life of 15 days – painful in the case of a problem.
- Pixabay, Netcraft says, takes the biggest risk: with a policy lifetime of a whole year, losing its private keys would put an end to the business, but as the post says, “Pixabay has evidently decided that robust prevention of impersonation attacks is worth the risk.” ®