Force HSTS for Wikipedia in Chrome

2014-08-02

Earlier I was browsing wikipedia and noticed it wasn’t being accessed over HTTPS. I checked and, sure enough, wikipedia doesn’t set an HSTS value (there’s some discussion of it on their bugzilla, their primary reason seems to be the failure mode if a country were to block HTTPS then there wouldn’t be a way for Mozilla Firefox users to manually remove the rule and access wikipedia again).

Since I’m using Chrome I’m happy to force HSTS. I’d also like to pin the public key. In order to do this I had to get the HSTS pubkey hash for wikipedia.org; I found an excellent utility from StalkR on their blog about almost this exact issue,  HTSTS Preloading, Public Key Pinning and Chrome, http_pins.py. I used this revision of the code

This code expects a local certificate, so I had to get a CRT version of wikipedia’s certificate. I did this using OpenSSL (required by http_pins.py). The command is:

openssl s_client -showcerts -connect en.wikipedia.org:443 </dev/null | openssl x509 -pubkey -noout >wikipedia.crt

This uses OpenSSL’s client to connect to en.wikipedia.org, fetches the certificate chain and then hangs up. The certificate chain is then sent to another openssl command that extracts the first certificate’s public key and writes it to wikipedia.crt. It would be a good idea to check that the intermediate certificate chain is sensible before proceeding.

Next, run http_pins.py on that file. Here’s what I got (but you should check yourself):

$ ./http_pins.py wikipedia.crt
wikipedia.crt:

  • SPKI fingerprint (sha256): 99:4a:39:4a:21:55:bf:ac:c6:46:71:9b:c0:dd:0b:d4:4b:f7:4a:95:36:19:fa:7c:de:52:75:07:2f:5a:23:77
    Public-Key-Pins: max-age=600; pin-sha256=“mUo5SiFVv6zGRnGbwN0L1Ev3SpU2Gfp83lJ1By9aI3c=”
    Warning! Per RFC you need at minimum two pins

You can now go to the Chrome HSTS page, chrome://net-internals/#hsts , and add the domain “wikipedia.org”, ticking Include subdomains for STS and Include subdomains for PKP, then adding the quoted value from above (but prefixing it with with sha256/). For me (and hopefully you too!) this was:

sha256/mUo5SiFVv6zGRnGbwN0L1Ev3SpU2Gfp83lJ1By9aI3c=

Happy secure browsing! Remember if this breaks something it’s not my fault :-) you can always go back into the Chrome HSTS page and delete the preset you’ve added for wikipedia.org