Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • TPA team TPA team
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 174
    • Issues 174
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • TPA
  • TPA teamTPA team
  • Issues
  • #33592
Closed
Open
Created Mar 11, 2020 by weasel (Peter Palfrader)@weaselOwner7 of 7 tasks completed7/7 tasks

drop http public key pinning (HPKP)

http PKP has been deprecated and removed from many browsers already.

We should stop sending that header.

I propose a 2 stage process:

  1. get clients that visit us regularly to drop their cached pin
  2. after all pins would also have expired, stop sending the header entirely.

for 1, something like this

--- a/modules/apache2/templates/ssl-key-pins.erb
+++ b/modules/apache2/templates/ssl-key-pins.erb
@@ -24,7 +24,9 @@
     if pin_info.size >= 2 then
       pin_info = pin_info.map{ |x| x.gsub('"', '\"') }
       # 60 days
-      pin_info << "max-age=5184000"
+      #pin_info << "max-age=5184000"
+      # 0 days, set 2020-03-11, so we can get rid of the header around 2020-05-11.
+      pin_info << "max-age=0"
       pin_str = pin_info.join("; ")
       res << "  Header always set Public-Key-Pins \"#{pin_str}\""
     else

also cf https://tools.ietf.org/html/rfc7469#section-2.3.1

  1. get clients that visit us regularly to drop their cached pin (done on 2020-03-11)
  2. after all pins would also have expired, stop sending the header entirely (done on 2020-10-14)
  3. update the tls documentation page in the wiki to remove mention of HPKP
  4. cleanup backup keys passphrase from password manager (although still present in git history)
  5. if all goes well, remove the dead code from letsencryt-domains.git (pending: in my worktree on my workstation, waiting for puppet to run everywhere)
  6. remove all pins from the tor-backup-keys.git repository
  7. archive or destroy the repository
Edited Oct 20, 2020 by anarcat
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking