Support real public key pinning #1187
Labels
Comments
|
Close as not active for very long time. |
|
Are you kidding, no… this is still a feature that is missing. Nobody was active to implement it. |
|
Come on, can't you reopen it? Closing issues just because they are not regularly commented does not mention they are not important. This is just silly… And we are not talking about a "nice little shiny feature that may make it look nicer", but about an actual security feature here! |
|
It's hard to cope with a huge amount of issues. So it only makes sense to track ones somebody will be working on. Feel free to send a PR |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Currently one can only pin the ssl/tls certificate fingerprint.
However this has one big issue:
When cert expires and/or is renewed the fingerprint changes, so this breaks the connection regularly! To prevent this, pin the public key of the key pair instead of the fingerprint.
That's how it is done in HPKP and deployed and tested in browsers around the world. It much more failure-resistant than pinning the certificate.
Additionally one should be able to pin multiple SHA-256 hashes, so that backup pins can be pinned just as it is done in HPKP. I'd also suggest you accept the same hash format (= SHA-256 base64 encoded hash of DER public key) as HPKP or e.g. curl.
I separated the HPKP request from this one #1185 as this here is about static pinning the public key just as you can do it already with the certificate and HPKP is the dynamically pinning the key on the first visit.
More information on how to pin correctly:
/cc @lgrahl
The text was updated successfully, but these errors were encountered: