Public Key Pinning in Firefox 32 to protect against MITM attacks

Public Key Pinning (PKP) is an extension to the HTTP protocol that is in draft status currently over at the Internet Engineering Task Force (IETF).

It allows web services to reduce the number of authorities that can authenticate the domain by instructing clients to only use a specific subset of authorities instead of accepting any root certificate that ships with the browser.

The technique is designed to reduce the chance of man in the middle (MITM) attacks under certain circumstances and protect against rogue certificate authorities.

The security feature works only on the second visit to the site and not on the first as information about certificate authorities that the site accepts need to be submitted to the client during the first visit. This is called trust on first use (TOFU).

This means that it won't help if a rogue certificate is used during the first connection attempt or if a man in the middle attack is happening at that time.

Another issue for site owners is that improper pinning may result in their sites or services becoming invalid.

A pin in this context describes the relationship between a hostname, say a website like Amazon, and a cryptographic identity.

Starting with Firefox 32, Firefox will support Public Key Pinning. Firefox 32 is currently available as a beta version and will be made available to stable users of the browser on September 2, 2014.

Firefox displays the lock icon indicating a secure site as normal if a certificate authority specified by a site the browser is connecting to is known by the browser. Firefox will reject the connection otherwise if that is not the case.

If the latter is the case, a secure connection failed error is displayed in the browser.

secure connection failed

It is interesting to note that Firefox will ship with built-in pins just like Google Chrome does. This integrates pinning instructions for select domain names to overcome the trust on first use issue as information are present in the browser from the get go.

Starting with Firefox 32, Firefox will ship with pinning information for Twitter, Mozilla AMO and Mozilla CDN host names. From Firefox 33 on, it will add Google and additional Twitter domains to that list. From Firefox 34 on, the list will be extended with the Firefox accounts domain, TOR, and Dropbox.

Pinning Preference

firefox public key pinning

Pinning is enabled by default in Firefox 32 and newer versions of the browser. A preference is provided that controls the feature.

security.cert_pinning.enforcement_level

  • 0. Pinning disabled
  • 1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default)
  • 2. Strict. Pinning is always enforced.
  • 3. Enforce test mode.

The default value of the preference is set to 1. This can be changed to 0 to disable pinning or 2 to enable strict pinning.

Summary
Article Name
Public Key Pinning in Firefox 32 to protect against MITM attacks
Author
Description
Starting with Firefox 32, Mozilla will integrate Public Key Pinning in the browser to protect against man in the middle attacks and rogue certificate authorities.
Please share this article

facebooktwittergoogle_plusredditlinkedinmail


Responses to Public Key Pinning in Firefox 32 to protect against MITM attacks

  1. Pants August 28, 2014 at 11:03 am #

    mmmm .. Tofu :)

  2. bastik August 28, 2014 at 6:33 pm #

    The question that arises is why other websites are packed into the built-in list far later, especially Google, than others?

    Also it would be of interest if the list can be edited by the end-users. At least if an end-user has a trusted source for those pins, the list can be used to decrease MITM surface.

  3. Nebulus August 28, 2014 at 7:25 pm #

    "Allow User MITM" can be useful if you have a security solution (i.e: antivirus) that scans your HTTPS traffic. In this case, using "2" can break things...

Leave a Reply