HSTS and HPKP "pinned certs" - breaks decryption and captive portal

Reply
Highlighted
L3 Networker

HSTS and HPKP "pinned certs" - breaks decryption and captive portal

I'm seeing many sites recently, like Google and Reddit for example, that are implementing HPKP, which prevents man-in-the-middle decryption like the PA. Currently, Chrome browsers completely ignore the PA certificate on these sites and use the site cert. Firefox just stops with a security message with no proceed or bypass, even when the PA root cert has been imported manually into the browser.

 

Besides the fact that this breaks PA decryption, my concern is when captive portal "web-form" is enabled, some browsers do not forward to the portal if the first webpage someone browses to has HPKP (like gmail). It just fails to open the site, until the user tries a different site (or a different browser). 

 

The only workaround I have been able to find is to whitelist these sites, but the number keeps growing.  Is there a better way to fix the captive portal issue?

 

 

Tags (3)
L4 Transporter

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

it should work with Chrome is your CA is deployed in Trust Enterprise store (not the classic & standard public CA store)

L4 Transporter

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning

 

Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor).

L3 Networker

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal


@cpainchaud wrote:

https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning

 

Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor).


Not quite sure what that means. I've added the PA cert into Firefox as both trusted root and in personal store (and whatever the other options are), but it still blocks it.

L4 Transporter

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

it says 'starting firefox 32' what version do you have and in which store did you install it ?

L4 Transporter

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#Implementation_status

 

How to use pinning

Starting with FF 32, it's on by default, so you don't have to do anything. The pinning level is enforced by a pref, security.cert_pinning.enforcement_level

  • 0. Pinning disabled
  • 1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default)
  • 2. Strict. Pinning is always enforced.
  • 3. Enforce test mode.

 

What mode is enabled in yours ?

L3 Networker

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

Well, with Chrome, I have the PA cert imported as trusted publisher, root, etc. But, even if Google.com is in the decryption profile, Chrome itself ignores the Palo cert. I go to google.com or YouTube.com and look at the certificate, instead of my cert, it's google's own cert. But all other websites that use SSL do show my cert correctly, so I know it's working. It's only HPKP (or it might just be google's own sites). 

 

As for Firefox, I'm using the latest version on my test machine. While I can easily make any conf changes here, the main issue is that there is no practical way to add certificates to Firefox on an enterprise-scale. It doesn't use GPO, so the cert has to be manually added to each installation. Then it wil work with "normal" websites and I verified that it decrypts. But it will not work with HPKP, unless each Firefox installation is manually changed with that setting you mentioned earlier (which I haven't had a chance to test yet).

 

Chrome isn't the main issue, because it just overrides the PA cert and allows the user to pass without a warning message. I'm not too concerned about decrypting Google's websites.

 

Firefox on the other hand, presents a hard security warning and prevents bypassing it. 

L4 Transporter

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

it used to work with previous versions in my lab I am pretty sure with Chrome. Might be a bug on their side as their doc says it should work. May be you could open a bug on chromium project ?

L0 Member

Re: HSTS and HPKP "pinned certs" - breaks decryption and captive portal

I just went through this hell last week.

 

Solution: uninstall Firefox, delete the Mozilla folder under %APPDATA%, reboot, reinstall Firefox, reinstall firewall cert. 

 

You should be good to go.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!