Opened 12 months ago

Last modified 3 months ago

#25146 new task

Enable HPKP for aus1

Reported by: gk Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


So, this seems to have been fallen through the cracks. A while ago I got asked to ask Mozilla how to get subdomains added to the HPKP list. I got the info and tried to move that forward in #tor-project but that failed. So, here is where we are

18:01 < GeKo> so i asked around a bit a while back wrt getting more tpo 
              subdomains in the static firefox pin list.
18:02 < GeKo> and the answer was basically to open a ticket on bugzilla
18:02 < GeKo> probably similar to 
18:03 < GeKo> or maybe even better as a child bug to the pin all the things one: 
18:03 < GeKo> i'd be especially interested in static pins for the updater related 
18:04 < GeKo> what's the process for getting this moved forward?

One thing to consider is that Google is deprecating HPKP and pushing for CT. Not sure how that influences our decision for supporting HPKP ourselves

Child Tickets

Change History (8)

comment:1 Changed 12 months ago by mcs

Cc: brade mcs added

comment:2 Changed 9 months ago by weasel

Yeah, I'm really not sure what our HPKP plan should be.

comment:3 Changed 3 months ago by releng

It should be to add your sensitive subdomains to the browsers' HPKP built-in preload list (and to do nothing with HPKP itself).
See 'More information' section in

comment:4 Changed 3 months ago by micah

Google announced it is deprecating HPKP:!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ

I believe in general HPKP is going away because it is extremely risky. A trivial mistake will brick your site, but google says its too hard to build a pin-set that’s guaranteed to work and the risk of hostile pinning. Hostile pinning hasn’t been observed yet, but it’s an attack that allows someone to take your site hostage should they somehow be able to obtain a valid certificate for your domain.

Adoption rate of HPKP has been very low, and because of that browser vendors are looking to replace it. Right now the alternatives are Expect-CT and CAA. I don't think it makes a lot of sense to pursue HPKP right now.

comment:5 Changed 3 months ago by releng

What is this stupid comment posted for?
HPKP is unusable on stateless browsers anyway and isn't discussed here.
Citing your precious google:

Note that we're keeping static/preloaded key pins for the time being. Many high-value target sites are thus still protected.

comment:6 Changed 3 months ago by nickm

Hey, let's try to be polite here, please? I know it's frustrating to communicate sometimes, but everybody involved with this project is a human being.

comment:7 in reply to:  6 Changed 3 months ago by releng

Replying to nickm:

Hey, let's try to be polite here, please?

Hey, Nick! Let's try, but it's not the best strategy ever.

I know it's frustrating to communicate sometimes, but everybody involved with this project is a human being.

Communicate? After sunsetting Tor Messenger without a replacement, restricting IRC channels, disabling cypherpunks account, etc? It's hard to believe somebody here wants to communicate...

comment:8 Changed 3 months ago by releng

The files were downloaded via HTTPS, but the server certificates or public keys were not pinned.

Last edited 3 months ago by releng (previous) (diff)
Note: See TracTickets for help on using tickets.