search

ptpb / pb

pb is a formerly-lightweight pastebin and url shortener
Other
549 stars 52 forks source link

ptpb.pw key pinning error #176

Closed sudokode closed 7 years ago

sudokode commented 7 years ago

Open https://ptpb.pw in firefox (tested on 49 and 50).

2016-12-02-182810_835x491_scrot

squigglezworth commented 7 years ago

At first it was a DNS error, now it's an SSL error... This has been going on for a few days now

sudokode commented 7 years ago

Well, both were expired registrations. That's understandable... This one, I'm not even sure why this is happening. It doesn't seem to affect anything else (chromium, curl), but firefox does seem to care more about SSL/TLS security. Usually there's a way to circumvent these edge cases, but this one doesn't seem to be passable, which means Mozilla thought it was bad enough to prevent any idiot (as usual) and "Advanced" users from clicking through to a potentially malicious site.

sudokode commented 7 years ago

Seems there is a way to bypass this. Firefox just doesn't like it when you switch from a pinned cert to a non-pinned cert. I guess this is the "Advanced Advanced..." button. Probably best to close firefox while doing this: 

grep ptpb.pw ~/.mozilla/firefox/*.default/SiteSecurityServiceState.txt
sed -i '/ptpb.pw/d' ~/.mozilla/firefox/*.default/SiteSecurityServiceState.txt
grep ptpb.pw ~/.mozilla/firefox/*.default/SiteSecurityServiceState.txt  # after retrying the site

(This may be a non-issue for the devs, but it might be best to leave this open for a while in case anyone else experiences the same problem.)

buhman commented 7 years ago

Firefox just doesn't like it when you switch from a pinned cert to a non-pinned cert

Yeah, I stopped serving HPKP headers after migrating to AWS, but the original pin duration was at least a year, so it hasn't expired yet for anyone that's cached it.

Seems there is a way to bypass this

Manipulating SiteSecurityServiceState.txt is mostly a Firefox usability issue IMO--there's no UI to clear/bypass the cached pin otherwise (aside from creating a new profile--that would work probably, but who wants to do that).

ghost commented 7 years ago

Yeah, I stopped serving HPKP headers after migrating to AWS, but the original pin duration was at least a year, so it hasn't expired yet for anyone that's cached it.

I think you could have sent a header to disable HPKP before the cert expired, but too late now...

Vaesper commented 7 years ago

Guys do you even security? This is exactly how HKPK was designed to work. It's not a usibility issue on FF's end that ptpb fucked up its cert management so bad that the cert pinning mechanism which it chose to enable to protect against rogue certs kicks in and protects users against the new (unpinned) cert.

buhman commented 7 years ago

k