[tor-bugs] #33592 [Internal Services/Tor Sysadmin Team]: drop http public key pinning
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Mar 11 09:25:43 UTC 2020
#33592: drop http public key pinning
-----------------------------------------------------+-----------------
Reporter: weasel | Owner: tpa
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-----------------------------------------------------+-----------------
http PKP has been deprecated and removed from many browsers already.
We should stop sending that header.
I propose a 2 stage process:
1) get clients that visit us regularly to drop their cached pin
2) after all pins would also have expired, stop sending the header
entirely.
for 1, something like this
{{{
--- a/modules/apache2/templates/ssl-key-pins.erb
+++ b/modules/apache2/templates/ssl-key-pins.erb
@@ -24,7 +24,9 @@
if pin_info.size >= 2 then
pin_info = pin_info.map{ |x| x.gsub('"', '\"') }
# 60 days
- pin_info << "max-age=5184000"
+ #pin_info << "max-age=5184000"
+ # 0 days, set 2020-03-11, so we can get rid of the header around
2020-05-11.
+ pin_info << "max-age=0"
pin_str = pin_info.join("; ")
res << " Header always set Public-Key-Pins \"#{pin_str}\""
else
}}}
also cf https://tools.ietf.org/html/rfc7469#section-2.3.1
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33592>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list