Connect with us

Hi, what are you looking for?


Application Security

Google to Remove Support for PKP in Chrome

Google is planning to deprecate and eventually completely remove support for public key pinning (PKP) from the Chrome web browser.

Google is planning to deprecate and eventually completely remove support for public key pinning (PKP) from the Chrome web browser.

The first step in this direction would be to remove support for HTTP-based PKP (“dynamic pins”) from the browser. This is currently planned for Chrome 67, which is set to be released to the stable channel in late May 2018, Google engineer Chris Palmer says.

The next step involves removing support for built-in PKP (“static pins”). This should happen at a time “when Chrome requires Certificate Transparency for all publicly-trusted certificates,” but no specific date for the change has been provided as of now.

PKP is used to defend against certificate misissuance through a Web-exposed mechanism (HPKP) that allows sites to limit the set of certificate authorities (CAs) that can issue for their domain.

“However, this exposes as part of the Open Web Platform considerations that are external to it: specifically, the choice and selection of CAs is a product-level security decision made by browsers or by OS vendors, and the choice and use of sub-CAs, cross-signing, and other aspects of the PKI hierarchy are made independently by CAs,” Palmer notes.

Thus, website admins could find it difficult to select a reliable set of keys to pin to, which has resulted in a low adoption of PKP. This could also hurt user experience through unexpected or spurious pinning errors that would result in error fatigue rather than user safety, Palmer argues.

According to him, some of the involved risks include the rendering of a site unusable and hostile pinning (when an attacker obtains a misissued certificate). He also notes that it is difficult “to build a pin-set that is guaranteed to work, due to the variance in both user-agent trust stores and CA operations.”

Advertisement. Scroll to continue reading.

Google’s engineer explains that no website would be impacted by the removal of static or dynamic PKP, and that other major browsers don’t support key pinning either.

Only 375 of the Alex Top 1 Million sites were using HPKP as of August 2016, and only 76 were using the Report-Only (RO) variant. However, there has been a major surge in HPKP deployment earlier this year, “almost entirely caused by Tumblr deploying HPKP across their entire catalogue of sites,” Scott Helme notes. More than 3,000 sites were using it as of August 2017.

Web developers looking to defend against certificate misissuance are advised to use the Expect-CT header, which is said to be safer than HPKP due to increased flexibility when it comes to recovering from configuration errors. It also benefits from built-in support by a number of CAs and can be deployed on a domain without additional steps when obtaining certificates for the domain.

Related: Microsoft Discloses Code Execution Flaw in Chrome

Related: Hijacked Extensions Put 4.7 Million Chrome Users at Risk

Related: Google Wants Symantec Certificates Replaced Until Chrome 70

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.