Google: Chrome is backing away from public key pinning, and here's why

Video: Chrome claims majority of desktop browser market

Google has announced plans to deprecate Chrome support for HTTP public key pinning (HPKP), an IETF standard that Google engineers wrote to improve web security but now consider harmful.

HPKP, as described in IETF 7469, was designed to reduce the risk of a compromised Certificate Authority misissuing digital certificates for a site, allowing an attacker to perform a man-in-the-middle attack on encrypted Transport Layer Security (TLS) connections.

Using HPKP, any website can tell browsers to remember, or 'pin', which public keys belong to a specific web server for a set period of time. After that, the browser ignores all other public keys for the set duration.

Currently Chrome, Firefox, and Opera are the only browsers that support HPKP, but Google's Chrome security team have announced plans to remove support for HPKP in Chrome 67, which is due for stable release around May 29, 2018.

Security researchers have highlighted a number of problems with HPKP, including the possibility for an attacker to install malicious pins or for a site operator to accidentally block visitors.

As per the standard, the first time a browser connects to a site the server tells it, using a HPKP header, which public keys belong to it. After that, browsers only accept certificates that have been signed with keys in the header.

Security researcher Scott Helme recently pointed out that an attacker who compromised a web server could send a site's visitors their own malicious HPKP headers. While the site operator could regain control of the site, browsers wouldn't be able to connect to it because of the attacker's HPKP policy.

This scenario happened to Smashing Magazine when it was updating an expiring SSL certificate. It enabled HPKP and set the policy for 365 days. After rolling out new valid certificates, all browsers with the old HPKP policy couldn't visit the site. Also, the new HPKP policy did nothing to update the old one.

Ryan Sleevi, one of the Chrome members who wrote the standard, has since described pinning as "terrible", admitting it harms the ecosystem more than it helps it.

Google's deprecation notice acknowledges Helme's study in August 2016, which found only 375 sites were using HPKP.

Qualys' web security expert Ivan Ristic last year said HPKP was doomed because it required too much effort for site operators to maintain properly and could be used as a "powerful weapon" against all other sites.

Instead of pinning, the Chrome team are now encouraging developers to use Certificate Transparency and the relatively new Expect-CT header.

"To defend against certificate misissuance, web developers should use the Expect-CT header, including its reporting function," they note.

"Expect-CT is safer than HPKP due to the flexibility it gives site operators to recover from any configuration errors, and due to the built-in support offered by a number of CAs."

Previous and related coverage

Google: This surge in Chrome HTTPS traffic shows how much safer you now are online

Google's HTTPS-everywhere push is showing results in page loads on Chrome.

IT leader's guide to reducing insider security threats [Tech Pro Research]

Insider threats can pose even greater risks to company data than those associated with external attacks.

Read more about Google Chrome

• Best Google Chrome extensions to enhance your productivity, security, and performance
• Google Chrome can now spot even brand new phishing pages
• Google Chrome under attack: Have you used one of these hijacked extensions?