Only 0.1% of you are doing web server security right

Venerable net-scan outfit Netcraft has issued what cliché would describe as “a stinging rebuke” to sysadmins the world over, for ignoring HTTP Public Key Pinning (HPKP).

Pinning is designed to defend users against impersonation attacks, in which an attacker tricks a certificate authority to issue a fraudulent certificate for a site.

If the attacker can present a user with a certificate for fubar.com, they can impersonate the site, opening a path for malfeasance like credential harvesting.

HPKP would address – but as Netcraft says here, it only works if sysadmins apply it at the server, and they're not.

“Less than 0.1% of certificates found in Netcraft's March 2016 SSL Survey were served with the HPKP header,” the post says, adding: “Where it has been deployed, a third of webmasters have mistakenly set a broken HPKP policy. With so many mistakes being made, the barrier to entry is evidently high.”

Putting that into numbers, Netcraft says only 3,000 certficates are using HPKP: 4,100 sites in total are serving the public-key-pins header, but a quarter of those are making mistakes with it.

The biggest reason Netcraft gives for sysadmins avoiding the protocol is that while it relieves risk for users, there is a risk for the business using HPKP. Sysadmins have to set a policy lifetime for HPKP – and if the site operator loses the certificate keys, their site will be inaccessible for the whole of that policy lifetime.

The three case studies the post provides illustrate the challenge involved in that trade-off: