Google is planning to deprecate and eventually completely remove support for public key pinning (PKP) from the Chrome web browser.
The first step in this direction would be to remove support for HTTP-based PKP (“dynamic pins”) from the browser. This is currently planned for Chrome 67, which is set to be released to the stable channel in late May 2018, Google engineer Chris Palmer says.
The next step involves removing support for built-in PKP (“static pins”). This should happen at a time “when Chrome requires Certificate Transparency for all publicly-trusted certificates,” but no specific date for the change has been provided as of now.
PKP is used to defend against certificate misissuance through a Web-exposed mechanism (HPKP) that allows sites to limit the set of certificate authorities (CAs) that can issue for their domain.
“However, this exposes as part of the Open Web Platform considerations that are external to it: specifically, the choice and selection of CAs is a product-level security decision made by browsers or by OS vendors, and the choice and use of sub-CAs, cross-signing, and other aspects of the PKI hierarchy are made independently by CAs,” Palmer notes.
Thus, website admins could find it difficult to select a reliable set of keys to pin to, which has resulted in a low adoption of PKP. This could also hurt user experience through unexpected or spurious pinning errors that would result in error fatigue rather than user safety, Palmer argues.
According to him, some of the involved risks include the rendering of a site unusable and hostile pinning (when an attacker obtains a misissued certificate). He also notes that it is difficult “to build a pin-set that is guaranteed to work, due to the variance in both user-agent trust stores and CA operations.”
Google’s engineer explains that no website would be impacted by the removal of static or dynamic PKP, and that other major browsers don’t support key pinning either.
Only 375 of the Alex Top 1 Million sites were using HPKP as of August 2016, and only 76 were using the Report-Only (RO) variant. However, there has been a major surge in HPKP deployment earlier this year, “almost entirely caused by Tumblr deploying HPKP across their entire catalogue of sites,” Scott Helme notes. More than 3,000 sites were using it as of August 2017.
Web developers looking to defend against certificate misissuance are advised to use the Expect-CT header, which is said to be safer than HPKP due to increased flexibility when it comes to recovering from configuration errors. It also benefits from built-in support by a number of CAs and can be deployed on a domain without additional steps when obtaining certificates for the domain.