Geekspeak I don't understand
Peter Fairbrother
zenadsl6186 at zen.co.uk
Thu May 14 13:57:06 BST 2015
On 12/05/15 21:02, Roland Perry wrote:
> Can anyone tell me what this really means, and what might have gone
> wrong, or what's amiss in 'my setup'?
>
> "An error occurred during a connection to www.facebook.com. The server
> uses key pinning (HPKP) but no trusted certificate chain could be
> constructed that matches the pinset.
There are two main forms of key pinning. In the first the browser does
all the work, eg Chrome pins all the www.google.com sites to Google CAs,
in later Windows installations IE pins www.microsoft-update.com sites to
a Microsoft CA.
It's all a bit incestuous, but it probably works fairly well, and a
fatal error block is justified here when pinning fails.
Firefox started doing this last September, and afaik there haven't been
any significant problems.
Another form involves the first visit to a HTTPS site which claims to
use cert pinning. The first visit is supposed to be especially trusted,
though I can't imagine why.
Thereafter the browser is supposed to trust only the certificate
authority (or reportedly, ouch, the certificate) mentioned in the first
visit. This may or may not apply to all subdomains as well as the main
domain.
I think this latter form may be what has bitten you, though afaik
Facebook doesn't use hpkp. Maybe some thing else on the page, from
another source, does?
Firefox started doing this second type of pinning very recently.
> Key pinning violations cannot be
> overridden. (Error code: mozilla_pkix_error_key_pinning_failure)
>
> The page you are trying to view cannot be shown because the
> authenticity of the received data could not be verified.
>
> Please contact the website owners to inform them of this problem."
The RFC says you must refuse a connection if pinning fails, but this is
just plain stupid. I am a great fan of blocking connections when it is
100% correct to do so, as many will know - but here someone can MITM a
page, give out a false cert for the first visit, and cause you a
permanent DOS.
There are other holes too, eg you can block access to a site which has
been legitimately set up by MITM-ing a wrong cert. Firewalls and proxies
can cause trouble too. What happens if you want to delete a CA in the
browser list of CAs, and a pinning relies on it? What happens when a
site wants to change CA?
Privacy? I don't want someone who inspects my computer to know I have
visited kinkyporn.com. I don't want that kept in a list of pinnings.
The second form of key pinning is pretty rubbish, security-wise. They
haven't done anything like a proper security cost-benefit analysis.
A warning, yes that is appropriate. A report, even more so. Block it?
No.
You haven't the authority of correctness to do that. It would be like
hanging someone when you not only didn't know for sure he did the crime,
but were not even sure that a crime had been committed.
You are sacrificing availability for supposed integrity and/or
confidentiality; but availability is often, usually, and in general,
more important than confidentiality or integrity.
Another disadvantage of blocking is that you can't get a secure
connection through hostile partial MITMing.
As the whole point of HPKP is to prevent MITM cryptographic attacks, we
must assume the ability to MITM traffic is available in any case which
HPKP might actually be useful.
Until April nss did not actually block sites in Linux for
Firefox/Chrome, but they changed it then. I don't know about Windows, OSX.
Ben Laurie was/is doing some stuff along these lines, and would know
more. Ben? You there?
-- Peter Fairbrother
More information about the ukcrypto
mailing list