Client SSL Public Key Pinning
Hey there, I would like to pin a public key in my clients application to ensure the HTTPS connection only gets established when the public key matches. It currently works fine, however it seems like the public key of my server changes very frequently and randomly (sometimes every few days, sometimes every week), most likely a issue in my cloudflare settings, but I expected that the public key only changes every year or half year, only when i have to pay the 9$ for the domain to not expire.
Any ideas how i can change my cloudflare certificate settings to mot change the public key so frequently?
8 Replies
why... do you need this?
https://developers.cloudflare.com/ssl/reference/certificate-pinning/
Cloudflare does not support HTTP public key pinning (HPKP) for Universal, Advanced, or Custom Hostname certificates. This is because Cloudflare regularly changes the edge certificates provisioned for your domain and - if you had HPKP enabled - your domain would go offline. Additionally, industry experts ↗ discourage using HPKP. For a better solution to the problem that HPKP is trying to solve - preventing certificate misissuance - use Certificate Transparency Monitoring. To avoid downtime when pinning your certificates, use custom certificates and select user-defined bundle method. This way you can control which CA, intermediate, and certificate will be used after renewal.
i dont want that people use tools like HTTPSniffer do spy on the network traffic and alter it. Public key pinning makes sure this will not happen and will refuse to connect if a custom certificate is being used.
thanks for the link!
I guess trusted CAs aren't a thing?
ah…. i didn’t think about that
correct
afaik thats a biz/ent only thing, no?
In regards to cloudflare ssl certificates
Can this be done inside a Cloudflare worker? For example I have a simple worker that when accessed it redirects (307) to site A. My issue is that if I use tools like Reqable, Charles Proxy, etc I am able to see the redirect locstion in the response and I would like to hide that info for people trying HTTPS interception with such tools. Is that possible with workers? Do you mind asking some questions in PM?
So it’s impossible to block such tools from inspecting a web app API/requests right?
thanks @Leo, will do exactly that. Hopefully there are enough resources online, haven’t seen much with curl c++🤣