[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #33592 [Internal Services/Tor Sysadmin Team]: drop http public key pinning



#33592: drop http public key pinning
-----------------------------------------------------+-----------------
     Reporter:  weasel                               |      Owner:  tpa
         Type:  defect                               |     Status:  new
     Priority:  Medium                               |  Milestone:
    Component:  Internal Services/Tor Sysadmin Team  |    Version:
     Severity:  Normal                               |   Keywords:
Actual Points:                                       |  Parent ID:
       Points:                                       |   Reviewer:
      Sponsor:                                       |
-----------------------------------------------------+-----------------
 http PKP has been deprecated and removed from many browsers already.

 We should stop sending that header.

 I propose a 2 stage process:

 1) get clients that visit us regularly to drop their cached pin
 2) after all pins would also have expired, stop sending the header
 entirely.

 for 1, something like this
 {{{
 --- a/modules/apache2/templates/ssl-key-pins.erb
 +++ b/modules/apache2/templates/ssl-key-pins.erb
 @@ -24,7 +24,9 @@
      if pin_info.size >= 2 then
        pin_info = pin_info.map{ |x| x.gsub('"', '\"') }
        # 60 days
 -      pin_info << "max-age=5184000"
 +      #pin_info << "max-age=5184000"
 +      # 0 days, set 2020-03-11, so we can get rid of the header around
 2020-05-11.
 +      pin_info << "max-age=0"
        pin_str = pin_info.join("; ")
        res << "  Header always set Public-Key-Pins \"#{pin_str}\""
      else
 }}}

 also cf https://tools.ietf.org/html/rfc7469#section-2.3.1

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33592>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs