HPKP & Firewall DPI: Does Pinning Help?

TL;DR

While HPKP (HTTP Public Key Pinning) can make it harder for attackers to intercept traffic, it’s unlikely to reliably disable Deep Packet Inspection (DPI) on a firewall. Modern firewalls use many techniques beyond just checking certificates. However, it adds another layer of security and might frustrate some simpler DPI implementations.

What is HPKP?

HPKP allowed website owners to tell browsers which public keys (certificates) they trust for their domain. If a browser saw a certificate not on the approved list, it would refuse to connect. It’s now deprecated and largely unsupported due to its potential for causing site outages if misconfigured.

What is DPI?

Deep Packet Inspection means a firewall examines the contents of network packets, not just their headers (source/destination addresses, ports etc.). It can identify applications, block specific content, and detect malicious activity. Firewalls use various methods for DPI including:

• Signature-based detection: Looking for known patterns in traffic.
• Protocol analysis: Identifying protocols like HTTP, HTTPS, DNS etc.
• Heuristic analysis: Detecting unusual or suspicious behaviour.

Can HPKP bypass DPI?

Not directly. Here’s why:

1. DPI looks beyond certificates: Firewalls don’t just check the certificate chain. They analyse the entire HTTPS stream, including headers, data formats, and compression techniques. HPKP only affects the initial TLS handshake.
2. Encryption: Modern HTTPS (TLS 1.3+) provides strong encryption. DPI has to decrypt traffic to inspect it, which is resource intensive and raises privacy concerns. While some firewalls do this, they don’t rely solely on certificate validation.
3. Firewall techniques: Firewalls use other methods like application-layer gateways (ALGs) and behavioural analysis that aren’t affected by HPKP.

How HPKP might make DPI harder

HPKP could potentially frustrate some older or simpler DPI systems in these ways:

• Increased complexity: A correctly configured HPKP setup adds a step to the TLS handshake. Some basic DPI tools might struggle with this extra validation.
• Reduced interception opportunities: If an attacker tries a Man-in-the-Middle (MITM) attack and presents a certificate not pinned by the browser, the connection will fail before the DPI system can even inspect it. This doesn’t disable DPI but prevents certain types of attacks that rely on intercepting traffic.

Example: HPKP Header (Deprecated – for understanding only)

This is what an HPKP header looked like:

Public-Key-Pins: pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; pin-sha256="yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"

Important: This is an example only. HPKP is no longer recommended.

Better Alternatives for Security

1. HSTS (HTTP Strict Transport Security): Forces browsers to use HTTPS, preventing downgrade attacks.
2. Certificate Transparency (CT): Makes certificate issuance more transparent and helps detect rogue certificates.
3. Strong TLS Configuration: Use the latest TLS versions (1.3+), strong cipher suites, and keep your certificates up-to-date.
4. End-to-end encryption: Where possible, use end-to-end encryption to protect data from interception at all points.

Conclusion

HPKP isn’t a reliable way to disable DPI on firewalls. Focus on implementing strong TLS configurations and other modern security measures for better protection.