Opened 5 months ago

Last modified 3 months ago

#33592 needs_review task

drop http public key pinning

Reported by: weasel Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

http PKP has been deprecated and removed from many browsers already.

We should stop sending that header.

I propose a 2 stage process:

1) get clients that visit us regularly to drop their cached pin
2) after all pins would also have expired, stop sending the header entirely.

for 1, something like this

--- a/modules/apache2/templates/ssl-key-pins.erb
+++ b/modules/apache2/templates/ssl-key-pins.erb
@@ -24,7 +24,9 @@
     if pin_info.size >= 2 then
       pin_info = pin_info.map{ |x| x.gsub('"', '\"') }
       # 60 days
-      pin_info << "max-age=5184000"
+      #pin_info << "max-age=5184000"
+      # 0 days, set 2020-03-11, so we can get rid of the header around 2020-05-11.
+      pin_info << "max-age=0"
       pin_str = pin_info.join("; ")
       res << "  Header always set Public-Key-Pins \"#{pin_str}\""
     else

also cf https://tools.ietf.org/html/rfc7469#section-2.3.1

Child Tickets

Change History (3)

comment:1 Changed 5 months ago by anarcat

+1

comment:2 Changed 5 months ago by weasel

Did step 1.

comment:3 Changed 3 months ago by anarcat

Status: newneeds_review
Type: defecttask

the headers would have expired last week, according to the math in the original description. would still be worth recomputing.

Note: See TracTickets for help on using tickets.