RIP HPKP: Google abandons public key pinning
No home in Chrome
Google is abandoning a next-generation web crypto technology it initially championed.
HTTP Public Key Pinning (HPKP) is a standard that allows a host to instruct browsers to only accept certain public keys when communicating with it for a given period of time. While HPKP can offer a lot of protection, the technology was open to potential abuse by hackers or accidental lockout if sysadmins misapplied it, as previously reported on The Register.
In a blog post last week, Google's Chris Palmer announced plans to deprecate HPKP support by Chrome from May next year – when Chrome 67 is slated to be released to Stable – before removing it entirely at some as yet unspecified date.
Google introduced HPKP support for Chrome around two years ago back in September 2015. Edge and Safari have never supported HPKP and the removal of support by other browser software makers is not anticipated to cause any major upheavals.
"There is no compatibility risk; no website will stop working as a result of the removal of static or dynamic PKP," according to Palmer who goes on to suggest possible alternatives to HPKP. "To defend against certificate misissuance, web developers should use the Expect-CT header, including its reporting function. Expect-CT is safer than HPKP due to the flexibility it gives site operators to recover from any configuration errors, and due to the built-in support offered by a number of CAs.”
Security researchers including Scott Helme previously criticised the technology as too cumbersome for mainstream use even among security-conscious organisations. Ivan Ristic of SSL Labs argued that HPKP was problematic because it failed to include a recovery mechanism rather than being an inherently bad idea.
“Two HPKP disappointments. First, that a half-baked standard got deployed to production. Second, [the] decision to kill it, rather than fix it,” Ristic said in reaction to Google’s decision. ®