HTTP public key pinning

HTTP public key pinning (HPKP) is a mechanism for securing the HTTPS protocol against man-in-the-middle attacks with fake, but by a recognized certification authority signed (certificate authority) certificates . HPKP enables the restrictions on the certificates accepted for a domain on the basis of the trust on first use principle. A list of valid certificates is defined by the server with a limited validity using the HTTP header public key pin and saved by the user's web browser so that it can be used to check the certificate for future access.

The list of valid certificates can contain any certificate in the key hierarchy. It is thus possible to define both end certificates for the specific domain and certificates from certification authorities as valid. With the latter, every certificate signed by this certification authority is accepted. The list of valid certificates must contain at least one certificate that is in use and at least one certificate that is currently not in use. The latter serves as a backup certificate in order to reduce the risk of a complete loss of all certificates defined as valid.

history

HTTP public key pinning was proposed by Google in November 2011 and is standardized as RFC 7469 .

Chrome has supported HPKP since October 2015 (version 46), but defined it as " deprecated " with version 68 and removed its support with version 72. Firefox has supported HPKP since January 2015 (version 35), but removed support in January 2020 with version 72. Unlike Opera, Safari and Edge do not support HPKP.

In October 2017, Chris Palmer , co-author of the HPKP standard and employee at Google Chrome, suggested that support for the standard in the Chrome browser from version 67, which is expected for May 2018, be marked as obsolete and completely removed as soon as Certificate Transparency becomes mandatory for all certificates in the Chrome browser. The use of the standard has remained low. Palmer sees one reason for this in the difficult selection of a list of valid certificates, since the website operator does not have control over all related aspects, but this is also dependent on the manufacturers of the operating systems and browsers, as well as the certification authorities. In particular, there is a risk of HPKP rendering a page unusable - even for pages that do not use it themselves.

HPKP disadvantages

The complexity of HPKP overwhelmed many website operators - and therefore prevented a quick and error-free introduction.
Website owners make their site unusable if they lose all of their keys. Users can choose to only pin keys from end certificates. If someone loses both the key for the current certificate and the replacement key in the event of a hardware defect, they will not receive a valid certificate for the website as long as the PIN is valid.
If users only pin the keys of the certification authorities, they expect them to continue to issue certificates. When it became apparent in mid-2016 that Wosign was violating the rules for certification authorities - and acquired StartCom , both certification authorities were deleted from many browsers. Anyone who pinned the root certificate from StartCom and the one from Wosign as a replacement for their website did not receive a certificate from either.
RansomPKP as key pinning protection money extortion: an attacker who hacks a web server can pin a website with a certificate and key issued by the attacker and delete the key. He demands a ransom from the website operator for the return of the private key.

Web links

Public key pinning in the Mozilla Development Network
Key pinning protects against malicious certification authorities. In: Golem.de , October 14, 2015

Individual evidence

↑ RFC 7469 . Section 2.6. Validating Pinned Connections .
↑ RFC 7469 . Sections 2.5. Noting Pins and 4.3. Backup pins .
^ Emily Stark: Rolling out Public Key Pinning with HPKP Reporting . Retrieved October 30, 2017.
↑ https://www.chromestatus.com/feature/5903385005916160
↑ Mozilla releases Firefox 72. Retrieved January 8, 2020 .
↑ HTTP Public Key Pinning (HPKP). Mozilla Developer Network (MDN). Retrieved October 30, 2017.
↑ Chris Palmer: Intent To Deprecate And Remove: Public Key Pinning. In: groups.google.com , October 27, 2017. Compare also: Hanno Böck: Chrome wants to give up HTTP public key pinning again. In: Golem.de , October 29, 2017.

[1] RFC 7469 . Section 2.6. Validating Pinned Connections .

[2] RFC 7469 . Sections 2.5. Noting Pins and 4.3. Backup pins .

[3] Emily Stark: Rolling out Public Key Pinning with HPKP Reporting . Retrieved October 30, 2017.

[4] ttps://www.chromestatus.com/feature/5903385005916160

[5] Mozilla releases Firefox 72. Retrieved January 8, 2020 .

[6] HTTP Public Key Pinning (HPKP). Mozilla Developer Network (MDN). Retrieved October 30, 2017.

[7] Chris Palmer: Intent To Deprecate And Remove: Public Key Pinning. In: groups.google.com , October 27, 2017. Compare also: Hanno Böck: Chrome wants to give up HTTP public key pinning again. In: Golem.de , October 29, 2017.