Re: [websec] #57: Re-add an upper limit to max-age

Yoav Nir <> Fri, 29 March 2013 21:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A191721E8050 for <>; Fri, 29 Mar 2013 14:16:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mmVk1pDMBQlA for <>; Fri, 29 Mar 2013 14:16:02 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 02E8921E804D for <>; Fri, 29 Mar 2013 14:15:58 -0700 (PDT)
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id r2TLFj1E018827; Sat, 30 Mar 2013 00:15:45 +0300
X-CheckPoint: {515602C4-0-1B221DC2-2FFFF}
Received: from ([]) by ([]) with mapi id 14.02.0342.003; Sat, 30 Mar 2013 00:15:45 +0300
From: Yoav Nir <>
To: Joseph Bonneau <>
Thread-Topic: [websec] #57: Re-add an upper limit to max-age
Date: Fri, 29 Mar 2013 21:15:44 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<>" <>, websec issue tracker <>, "<>" <>
Subject: Re: [websec] #57: Re-add an upper limit to max-age
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Mar 2013 21:16:06 -0000

On Mar 29, 2013, at 1:45 PM, Joseph Bonneau <> wrote:

>> Hopefully, it's not just Google that implements this. I guess any browser that implements this will have some kind of reset button (like they have for other stuff) that will erase all pins. So the site is not really bricked, but still it's pretty embarrassing to have to have a message on their home page like "Chrome for Mac OS X users of, due to an administrative error, please select the 'Clear Browsing Data…' menu item from the Chrome menu, select 'the beginning of time' from the dropdown menu, and check the 'dynamic public key pins' box. Then click 'Clear browsing data'. Sorry for the inconvenience."
> Perhaps we have a different working definition of "bricked"? By
> bricked, I meant that HPKP pins were set which the site no longer has
> the ability to satisfy, period. There are many ways that this could
> happen-pinning to two end-entity keys and losing the private keys,
> attempting to pin to a CA key but entering the hash incorrectly, and
> still having the pins accepted since the end-entity key pin is valid,
> or a malicious bricking with a mis-issued certificate. In this case, a
> bricked domain would be unable to show anything at all to users, so
> they couldn't ask users to hit a "reset pins" button as you suggest.

This assumes all these domains are also STS (H or not). If the site also has an HTTP server (like most are now), then that server can display the message.

Perhaps there should be some website that lists bricked domains, perhaps maintained by the browser vendors or a consortium (CABF?). So when you get the HPKP error screen, you will not be able to click through, but you will be able to get the list of recently bricked domains. So if the site you were looking for is listed there, you would shake your head at their incompetence, and proceed to clear pins (or clear the specific pin if you're more security conscious). Of course, that site has to be strictly secure.