Internet security has been severely shaken in the last few years and tech giants such as Google are working to provide stability and security for its users and their personal information. With user security in mind, Google wrote the HTTP public key pinning standard (HPKP). After giving much consideration, Google plans to deprecate Chrome support for HPKP.
Google changes its mind
HPKP was designed to avoid compromised Certificate Authority mississuing digital certificates for websites. This could allow a hacker to attack Transport Layer Security (TLS) connections. By using HPKP, websites were able to command the browser to remember (pin) public keys belonging to a specific web server.
Only three internet browsers support HPKP: Chrome, Firefox and Opera. Soon, Google wants to eliminate Chrome from the list. This could potentially happen when the tech giant releases the Chrome 67 version, around the 29th of May, 2018.
Security issues of HPKP
According to security researchers, a browser supporting HPKP could be used by a hacker to install malicious pins for websites operators so as to accidentally block visitors.
Scott Helme, security researcher, has explained that a hacker could send a malicious HPKP to certain website visitors. The site operator is able to regain the control but because of HPKP’s policy, browsers could not access it.
A perfect example is Smashing Magazine. The magazine was updating an expiring SSL certificate and it enabled HPKP and set the policy for 365. After the new valid certificate rolled out, browsers using the old HPKP policy could not access the site.
Ryan Sleevi, one of the creators of the standard HPKP has described pining as something harmful and not a great help.
Helme conducted a study in August 2016 and found that only 375 sites used HPKP.