15-11-17, Google plans to remove support for HTTP Public Key Pinning (HPKP)
HTTP Public Key Pinning (HPKP) is a security standard that forces browsers to accept only certain "pinned" public keys when visiting a host for a fixed period of time. This feature was introduced by Google in 2015. However, it never gained popularity.
Chris Palmer wrote in the Chromium blog post that HPKP is dead. Google plans to remove support for HPKP. This is likely to take place in the release of Chrome 67 (planned release next May). Among the larger browsers, full support for HPKP has only been available in Chrome and Opera. Firefox started but never completed the deployment of HPKP support, and Apple and Microsoft never even began.
Chrome developers also plan to completely remove support for embedded PKP ("static pins"). This will be carried out by the time Chrome requires the implementation of Certificate Transparency for all public certificates. So far, no specific dates have been set for this decision.
Why did Google decide to abandon HPKP?
It all boils down to the fact that HPKP is an inconvenient way to perform several actions that are already perfectly implemented with the help of other mechanisms or protocols.
HPKP problems are as follows:
- It is difficult to configure a set of pins that will be guaranteed to work, because all CAs and trust stores work differently.
- There is a risk that the site will be disabled (due to the creation of an incorrect set of pins).
- There is a risk of pinning an incorrect certificate: one that was issued by intruders.
According to Palmer, to protect against issuing incorrect certificates, web developers should use the Expect-CT header with its reporting capabilities. Expect-CT is more secure than HPKP, because you can recover from any configuration errors. Plus, Expect-CT has built-in support from many CA.
Subscribe to the updates of LeaderSSL to stay up to date with events from the world of online security and SSL.