Spartak - Fotolia
Public key pinning: Why is Google switching to a new approach?
After introducing HTTP Public Key Pinning to the internet two years ago, the upcoming Chrome will replace it with the Expect-CT header. Matt Pascucci explains the switch.
The upcoming version of the Chrome browser will officially drop public key pinning, according to Google, in favor of a new approach. What are the drawbacks of public key pinning, and what is Google's proposed new approach?
Google announced they'll be deserting HTTP Public Key Pinning (HPKP) in their upcoming Chrome 67 release. The decision to depreciate this feature in their browser hasn't come as a surprise to the industry, but it's interesting to watch Google take the lead on removing HPKP since they initially introduced the feature two years ago. In the place of HPKP, Google is recommending web developers deploy the Expect-CT header to defend against the malicious use of certificates.
Using HPKP is a strong way for a host to validate that a user's web browser is using the particular public key to communicate back to the site during a particular timeframe. With all the security that HPKP creates by refining policy on how to communicate securely with the host, it does create a somewhat difficult and clumsy process for organizations to manage.
Another issue that arises is something called "HPKP Suicide," where a key is deleted or stolen and is no longer able to be used to the site that it was pinned with. It's been shown the potential outages and issues deploying and managing HPKP outweighs the overall security gains that organizations benefit from deploying public key pinning.
Google is now recommending that web developers use the Expect-CT header, which expects all certificates being generated after April 2018 to be logged in Certificate Transparency (CT) or they'll be deemed untrustworthy. You can use this header to determine if you're ready for Chrome to validate that your communication is working properly. Certificate Transparency is the ability to give us more insight into our certificates and allows us to monitor them -- the CT logs allow others to monitor if any certificates are being issued for our domains. The CT logs will be submitted by the CA that issued certificate as this allows for a more open and auditable way of determining if certificates were mistakenly or maliciously issued to someone else besides the owner of the domain. It helps detect these types of issues and alert the CA and owner to act quickly to remediate the issue and potentially revoke the certificate in question. There are many CT logs that are compliant with Chromes policy and can be monitored for this very purpose.
Google has taken the approach to monitor for certificate tampering by having a standard created that won't be too complex or overwhelming for administrators to manage. This leaves the ball on the CA's and the CT logs during creation and allows for a more widely adoption of certificate security throughout the industry.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)