New SSL config with elliptical curve certs & no HPKP


#1

Switching over the server’s LetsEncrypt setup to DNS-01 validation, thanks to this acme script, which is the greatest thing since sliced bread, and took the opportunity to switch over to EC certificates instead of RSA. Shouldn’t make a difference to anyone unless you’re using Android 4.old or IE, in which case you wouldn’t even be able to read this in the first place so ¯\_(ツ)_/¯

More of a big deal, though, is that I’m taking a page from security researcher Scott Helme’s playbook and ditching HTTP public key pinning (“HPKP”). HPKP is a bit of tech whereby the web server informs all visitors via a special HPKP header what the hash of the site’s SSL/TLS public key should be, and browsers that support HPKP are supposed to look at the header, compute the hash themselves, and compare it to the header to make sure that the site’s certificate is the correct certificate and not a malicious one from some other source. It adds a fair amount of security against certain types of attacks, but it’s a massive pain in the ass to support with LetsEncrypt because it requires you do all kinds of crazy shit.

Further, HPKP makes it super easy to break your site and render it effectively offline, because if you screw up your HPKP configuration even a little bit and your HPKP header doesn’t match the public key hash, noone’s browser (including your own!) will display the site. And if you lose your key and have to regenerate your SSL/TLS certificate, you’re triple-screwed, because your only option is to wait until the HPKP duration time has passed—that’s the interval you as the server admin specify in the HPKP header, which best practices say should be 30-60 days.

Exactly 61 days ago, I modified the bigdino web server to stop sending HPKP headers, and I was using a 60-day expiration. Today is therefore the first day where no visitors’ browsers are looking for HPKP, and so as of today, I’ve swapped out all my certs and private keys.

Will do a blog post about this shortly, but wanted to give you guys a heads-up in case anyone experiences any weird issues.

tl;dr - If you can read this, everything is fine.

edit - if anyone is bored, here’s a nice, concise, nearly-math-free explanation from Computerphile on how elliptical curve cryptography works specifically when it comes to SSL/TLS certificates.


#2

I couldn’t read it. What do I do? What do I dooooo, @Lee_Ars!?


#3

But you can’t read, so we’re good.


#4

At times like these, I have a little poem to remind me what to do:

When in panic or in doubt,
Run in circles, scream and shout!


#5

I have too many co-workers that follow this poem verbatim.


#6

Wait, what?

New SSL configs? And no problems or issues so far?

Well done! It’s beer o’ clock*, let’s adjourn to the closest pub then.

*cooldrink o’ clock, or whatever you prefer if you don’t drink alcoholic beverages.


#7

Curves are awesome. Because it’s all about the base, 'bout the base.

AES-256 and TLS1.3, that is. Base standards, folks.