Jump to content
Not connected, Your IP: 3.136.22.204
Sign in to follow this  
userusingused

Suggestion: Implement HPKP (pinning) on airvpn.org

Recommended Posts

HPKP (HTTP Public Key Pinning) is a strong way to protect against Man in the Middle attacks by sending a fingerprint of the certificate to the browser, and on subsequent visits, the browser will compare the fingerprint to the stored one, and will abort the connection when when they do not match.
The idea behind the implementation is kind of the same as HSTS(HTTP Header, trust on first use and has a expiry age), but by limiting the certificates to your CA or even the specific server certificates, MitM becomes much harder.
Some more info on implementation:
https://scotthelme.co.uk/hpkp-http-public-key-pinning/?PageSpeed=noscript

Both Firefox and Chrome already support it since v35. IE unfortunately not, but they're always behind. IE just started supporting HSTS a few months ago, while Chrome and Firefox already support it for 5 years.

Share this post


Link to post

This will break the site in case someone will try to access it behind an SSL inspecting proxy.

Which, as should be assumed, not so uncommon scenario for a public VPN provider.

 

HSTS mitigates -almost- all MiTM risks - except one that includes a valid CA that will sign the same CommonName object.

The best part of this is that it will not break usage in case of SSL proxies.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

This will break the site in case someone will try to access it behind an SSL inspecting proxy.

Which, as should be assumed, not so uncommon scenario for a public VPN provider.

 

HSTS mitigates -almost- all MiTM risks - except one that includes a valid CA that will sign the same CommonName object.

The best part of this is that it will not break usage in case of SSL proxies.

That should not be the concern of the website doing HPKP, but the SSL proxy. When HPKP gets more traction in the future, SSL proxies will have to deal with this. I don't know if there is a way to make it compatible and still enjoy the benefits, but they could easily strip the HPKP headers and nothing would break.

 

A valid CA signing the same CommonName object is not the only concern. In the past attackers have breached CA's in order to do it themselves. And besides governments forcing CA's to cooperate, there are also government owned CA's that can easily do it themselves.

 

For readers' comfort: HSTS is implemented in airvpn.org

https://www.ssllabs.com/ssltest/analyze.html?d=airvpn.org

 

HPKP is not planned.

 

Kind regards

I hope you'll reconsider HPKP for the future.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...