Get ready for the age of surveillance

Thanks to https://www.iconfinder.com/icons/197218/camera_meanicons_security_surveillance_icon#size=256

[1]

Skip to short version

You probably know SSL/TLS – that’s the protocol used to encrypt our communication over the internet. If you call a website with https instead of http in front of the actual URL, the page will be transmitted encrypted – that’s very practical in case you would like to send a password or get personal data.

Now in order for a website to be able to support https the server owner has to implement it – that’s why still not all website are available via SSL.

Ok, enough introduction. This article is for those people who already implemented SSL into their page in order to protect their content and the data of their users… but how secure is SSL? Very secure if you are using signed certificates, this way you can recognize man-in-the-middle attacks… if not the signing company is the person doing the attack. This can for example happen if an intelligence agency (like a secret service) wants access to data, which they can’t get by themselves because it’s encrypted via SSL. If the agency asks the certificate provider to sign their certificate which they will be using for a man-in-the-middle attack the user will – with a high chance – not notice.

Now I would like to show you one solution you can use the prevent this: Public-Key Pinning (short HPKP, meaning HTTP-Public-Key-Pinning).

Public-Key Pinning

SSL uses a private and public key for encryption. The private key – in best cases – never leaves the server, the public key is sent to the person who wants to open the website (access the server). Now they exchange keys using asymmetric encryption. Read more about how it works on Wikipedia. A man-in-the-middle would use a different public key than the one sent by the server – because it has to belong to a private key which the attacker owns.

So what we notice is that the only way to identify an attacker who as a valid certificate is through the public-key. And exactly that’s where the public key pinning comes in. When you open the website for the first time a hash of the (original) public-key is sent in the header of the website. Every time the website is then opened, the browser checks if the hash of the public key is the one, sent in the header previously.

Compatibility

Sadly, not all browsers have implemented this feature yet. The good news is though, that two very big browsers have: Firefox and Google Chrome.

Implementing it

Now you want to deliver your website more secure? You want to be more secure than a bank – well online bank? You don’t like mass surveillance through the government – or the people calling themselves like that? Well go and read how actually easy it is to implement it! Please read the Good to know before going over to production use.

Good to know

Exceptions

There is one case where HPKP is not safe. That is if the first time you open the website (the moment your browser saves the pin) is being manipulated by an attack. It can also happen that the users Anti-Virus (or only Virus) prevents HPKP because they are actually doing a man-in-the-middle “listening” themselves in order to detect malware.

Tips on implementing

If you are implementing HPKP be careful to not lock your website. The hash of your public-key is valid for a certain time – set through the max-age parameter. If you do something wrong – for example you have lost your private-key (meaning you need a new certificate) – it can happen that you can’t access your site until the hash expires. So please use a low max-age time while testing.

When implementing you will need at least two hashes: one of your current certificate and a backup one, just in case something happens like I stated before. If you only have one hash, it won’t work at all.

Testing if it worked

When you’re done implementing it, you want to test if the pinning works. If everything worked well you can still open your website as normal. To test if the browser saved the pin you can now a) change the SSL-Certificate to one which is not part of the backup hashes and see if the browser give you an error or b) use this handy website.

SSL can also be hardened in general not only through HPKP. Try Qualys SSL Test to check how secure your SSL connection is and check out this article to see how you can harden it.

Short version Learn more about short versions here

In order to make your page more secure I would recommend implementing public-key pinning. Public-key pinning sends a hash of the public-key of your servers SSL-Certificate to the browser (as a header). The browser saves the pin and from now on checks if the hash of the public-key is the same as the saved one. This can effectively prevent man-in-the-middle attacks while not influencing the user experience (if you do everything correct). Read how to use it over at Mozilla’s Doc’s.

 

[1] Attributions for the features image to Vectorgaphit

Comments are closed.