HTTP Public Key Pinning: Preloading Options

TL;DR

Yes, you can preload HTTP Public Key Pinning (HPKP) to improve security and reduce the risk of man-in-the-middle attacks. This involves submitting your pinning policy to a public list maintained by Google. However, HPKP is now largely superseded by Certificate Transparency (CT). This guide explains how preloading worked and why CT is preferred, along with steps for checking if your domain was included in the historical preload lists.

Understanding HTTP Public Key Pinning

HPKP allowed website owners to tell browsers which public keys they trust. This meant a browser would refuse to connect to your site if it saw a certificate not signed by one of those trusted keys, even if that certificate was otherwise valid from a recognised Certificate Authority (CA). It aimed to protect against rogue CAs issuing fraudulent certificates.

Why HPKP is Less Common Now

HPKP had significant drawbacks:

• Recovery Issues: If you made a mistake in your pinning policy, it could render your site inaccessible to users.
• Complexity: Setting up and maintaining HPKP was complex.
• Certificate Transparency (CT): CT provides a more robust solution by requiring CAs to publicly log all issued certificates, making fraudulent issuance much harder to hide. Browsers now prioritise CT over HPKP.

Most browsers have removed or are removing support for HPKP.

Preloading: How it Worked (Historical)

Preloading involved submitting your pinning policy to Google’s public list. Browsers that supported preloading would then include this information in their build, meaning they’d enforce the pin before even attempting a connection to your site.

Steps for Checking Historical HPKP Preload Status

1. Check Your Policy: First, you need to know what pinning policy you *used* to have. This was typically delivered via an HTTP header. Look for the Public-Key-Pins header in your web server configuration or through browser developer tools (Network tab). An example might look like this:

   Public-Key-Pins: pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; max-age=31536000; includeSubDomains

2. Use the HPKP Report Tool: Google provided a tool to check if your domain was included in their preload lists. This tool is no longer actively maintained, but you can still try it:
   • Go to Google’s HPKP Check Tool (note: this may not function reliably).
   • Enter your domain name and click ‘Check’.
3. Review the Results: The tool would indicate whether your pinning policy was found in the preload list. If it wasn’t, it means preloading wasn’t active for your site.

What to Do Now (Instead of HPKP)

1. Focus on Certificate Transparency: Ensure your CA is logging certificates to a public CT log. Most modern CAs do this automatically. You can verify CT logs using tools like crt.sh.
2. Enable HSTS: Implement HTTP Strict Transport Security (HSTS) to force browsers to use HTTPS and prevent downgrade attacks.
3. Monitor Certificate Issuance: Regularly monitor certificate issuance for your domain to detect any unexpected or fraudulent certificates.