Concerned about online security? Be careful to avoid this mistake.
In the Beginning
The internet has long been a trusting and insecure place. The initial mechanisms put in place by the early founders of the internet are largely still in place – and when you look just below the surface you can see most of the internet is simply plain text messages transmitting between server and browser, and for a large part of history, this was perfectly safe. But, just like your grandparents never bothered locking the doors in their small town, we have learned from hackers and nefarious state actors that security is increasingly important.
In recent years, Google and other major players have been recommending Secure Sockets Layer (SSL) certificates for all industries. Once only common with banking or ecommerce sites, SSL certificates help encrypt the information sent between your web browser and the site you’re using. However, SSL requires a layer of trust as well as encryption; the browser, and thus you, must trust that the certificate has been signed by a reputable Certificate Authority (CA) and that all the keys along the way are not compromised. There are a limited number of certificate authorities that issue all SSL certificates on the internet. Think of a certificate authority as a tree; the roots and trunk act as the backbone of trust for that authority. Each branch represents an intermediate certificate, also issued by the CA, and the leaves represent each SSL certificate issued. If the roots or trunk are compromised, the entire tree falls.
Trust is Earned
The Symantec trees have fallen. Symantec provided certificates through a number of authorities: VeriSign, Thawte, GeoTrust, RapidSSL, and Equifax – yes, that Equifax. Google found that there were enough recurring incidents of lack of oversight and lack of security to plan to completely mistrust all Symantec SSL certificates. There is still plenty of time to act, but any website operator who uses one of these compromised certificates will need to purchase a new SSL certificate before the trust is removed. What happens when trust is removed? Your visitors will likely get a very nasty message explaining that the website SSL is not trustworthy and they should not continue.
Google wanted to provide another mechanism for website owners to provide a secure connection. In 2015 Google introduced an HTTP extension, the Public Key Pin header (HPKP). In theory, site owners would provide additional information about their key used to sign the certificate and help ensure that the certificate being provided wasn’t signed by a different key. Certificate signing relies on a proven standard of asymmetric key pair encryption. There’s a private key, which is to be guarded with your life; and the public key that is distributed to the public. The keys are mathematically bound together and only allow for data to be encrypted by one and decrypted by the other. In theory, this was a great step towards protecting against the rare occurrence of certificate authority compromised certificates. Of course, theories often reveal complications in practice.
Be Careful
The problem with HPKP, more than its abbreviation, was that it is very difficult to accurately maintain. A simple misconfiguration could completely block your website from being loaded by any browser that supported the header. There was a lifetime to how long the public key pins should be trusted, which meant that your site would be unavailable for that length of time if there was an issue. If a system admin, or potential hacker, misconfigured the key, your site could be shut down for 30, 60, or even 365 days. That’s a very high risk for addressing an issue that is very rare. It wasn’t just a risk for Smashing Magazine, when they accidentally misconfigured their HPKP header and their site became completely unavailable to a majority of visitors for multiple days. Symantec failed to protect that level of trust. Fortunately, there are still plenty of other certificate authorities that have maintained their level of trust and truly understand the importance of protecting it. Even if that trust is broken, it is still much quicker to recover by simply purchasing a new SSL certificate that is trusted. With HPKP, if you no longer had access to your keys or they were compromised, your site is at the mercy of the browser’s memory, which can be very long.
Ultimately the ease of misconfiguration and the risks with HPKP have led Google to turn their back on HPKP and announce its deprecation. It will be removed from future versions of Chrome and likely Firefox; it never made it into other common browsers.
Despite the pitfalls with HPKP, Certificate Transparency (CT) is still important to Google. In 2017 they introduced another HTTP header in the hopes of furthering this effort in a safer way. The Expect CT is still in its early phase, but already provides more potential and safety through a report-only mode. It’s a good idea to start getting information from this header now, before it becomes a requirement. And it’s always a good idea to check your site against standard SSL tests.
Want to make sure you’re doing everything you can to keep your website safe? Get in touch and we’ll be happy to help. Contact Vice President of Client Development Jennifer Boneno at 225-448-0756 or beyond@z-comm.com for more information.
References
1. Is HTTP Public Key Pinning Dead?
2. I'm giving up on HPKP - Scott Helme
3. RIP HPKP: Google abandons public key pinning
5. A new security header: Expect-CT - Scott Helme
Abbreviations
1. SSL – Secure Sockets Layer
2. CA – Certificate Authority
3. HTTP – Hyper Text Transfer Protocol
4. HPKP – Public Key Pin Header
5. CT – Certificate Transparency