Only 0.1% of you are doing web server security right

Certificate pinning is a useful thing, says Netcraft. So why do hardly any of you use it?


Venerable net-scan outfit Netcraft has issued what cliché would describe as “a stinging rebuke” to sysadmins the world over, for ignoring HTTP Public Key Pinning (HPKP).

Pinning is designed to defend users against impersonation attacks, in which an attacker tricks a certificate authority to issue a fraudulent certificate for a site.

If the attacker can present a user with a certificate for fubar.com, they can impersonate the site, opening a path for malfeasance like credential harvesting.

HPKP would address – but as Netcraft says here, it only works if sysadmins apply it at the server, and they're not.

“Less than 0.1% of certificates found in Netcraft's March 2016 SSL Survey were served with the HPKP header,” the post says, adding: “Where it has been deployed, a third of webmasters have mistakenly set a broken HPKP policy. With so many mistakes being made, the barrier to entry is evidently high.”

Putting that into numbers, Netcraft says only 3,000 certficates are using HPKP: 4,100 sites in total are serving the public-key-pins header, but a quarter of those are making mistakes with it.

The biggest reason Netcraft gives for sysadmins avoiding the protocol is that while it relieves risk for users, there is a risk for the business using HPKP. Sysadmins have to set a policy lifetime for HPKP – and if the site operator loses the certificate keys, their site will be inaccessible for the whole of that policy lifetime.

The three case studies the post provides illustrate the challenge involved in that trade-off:

  • Github uses HPKP, but sets the policy's time-to-live at 300 seconds. That minimises user disruption if Github has a problem, but gives attackers a five-minute window. As a result, if there is an attack, “ anybody who has not visited the real www.github.com within the past five minutes is a potential victim”.
  • Mozilla takes more risk: its support site has a policy life of 15 days – painful in the case of a problem.
  • Pixabay, Netcraft says, takes the biggest risk: with a policy lifetime of a whole year, losing its private keys would put an end to the business, but as the post says, “Pixabay has evidently decided that robust prevention of impersonation attacks is worth the risk.” ®

Similar topics


Other stories you might like

  • Google Pixel 6, 6 Pro Android 12 smartphone launch marred by shopping cart crashes

    Chocolate Factory talks up Tensor mobile SoC, Titan M2 security ... for those who can get them

    Google held a virtual event on Tuesday to introduce its latest Android phones, the Pixel 6 and 6 Pro, which are based on a Google-designed Tensor system-on-a-chip (SoC).

    "We're getting the most out of leading edge hardware and software, and AI," said Rick Osterloh, SVP of devices and services at Google. "The brains of our new Pixel lineup is Google Tensor, a mobile system on a chip that we designed specifically around our ambient computing vision and Google's work in AI."

    This latest Tensor SoC has dual Arm Cortex-X1 CPU cores running at 2.8GHz to handle application threads that need a lot of oomph, two Cortex-A76 cores at 2.25GHz for more modest workloads, and four 1.8GHz workhorse Cortex-A55 cores for lighter, less-energy-intensive tasks.

    Continue reading
  • BlackMatter ransomware gang will target agriculture for its next harvest – Uncle Sam

    What was that about hackable tractors?

    The US CISA cybersecurity agency has warned that the Darkside ransomware gang, aka BlackMatter, has been targeting American food and agriculture businesses – and urges security pros to be on the lookout for indicators of compromise.

    Well known in Western infosec circles for causing the shutdown of the US Colonial Pipeline, Darkside's apparent rebranding as BlackMatter after promising to go away for good in the wake of the pipeline hack hasn't slowed their criminal extortion down at all.

    "Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory," said the agencies in an alert published on the CISA website.

    Continue reading
  • It's heeere: Node.js 17 is out – but not for production use, says dev team

    EcmaScript 6 modules will not stop growing use of Node, claims chair of Technical Steering Committee

    Node.js 17 is out, loaded with OpenSSL 3 and other new features, but it is not intended for use in production – and the promotion for Node.js 16 to an LTS release, expected soon, may be more important to most developers.

    The release cycle is based on six-monthly major versions, with only the even numbers becoming LTS (long term support) editions. The rule is that a new even-numbered release becomes LTS six months later. All releases get six months of support. This means that Node.js 17 is primarily for testing and experimentation, but also that Node.js 16 (released in April) is about to become LTS. New features in 16 included version 9.0 of the V8 JavaScript engine and prebuilt Apple silicon binaries.

    "We put together the LTS release process almost five years ago, it works quite well in that we're balancing [the fact] that some people want the latest, others prefer to have things be stable… when we go LTS," Red Hat's Michael Dawson, chair of the Node.js Technical Steering Committee, told The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2021