HTTP Public Key Pinning, or HPKP, has sure had an interesting journey as a standard but today marks what will probably be the final blow for the dying mechanism. Chrome has announced their plans to deprecate and remove support for HPKP as soon as 29th May 2018.
What is HPKP?
Taking the intro right from the HPKP RFC:
This document defines a new HTTP header that allows web host operators to instruct user agents to remember ("pin") the hosts' cryptographic identities over a period of time. During that time, user agents (UAs) will require that the host presents a certificate chain including at least one Subject Public Key Info structure whose fingerprint matches one of the pinned fingerprints for that host. By effectively reducing the number of trusted authorities who can authenticate the domain during the lifetime of the pin, pinning may reduce the incidence of man-in-the-middle attacks due to compromised Certification Authorities.
In short, HPKP was designed to help a site operator protect themselves from rogue or mis-issued certificates. If a bad guy manages to compromise a Certificate Authority, or somehow trick them into issuing a certificate, you could have someone on the Internet with a certificate for your domain. They could pretend to be you and intercept what otherwise appears to be perfectly secure and encrypted traffic. If you want more details on HPKP you can read my introductory blog.
Supporting HPKP
I spent a fair share of my time supporting HPKP and trying to help site operators understand and deploy it. It's adoption still remains incredibly low as can be seen in my Alexa Top 1 Million site scans that I perform every 6 months and publish reports for. I built a full HPKP Toolset into report-uri.io, I wrote guidance on setting up HPKP, demonstrated failures so people could understand the risk and even built a free reporting service so sites could deploy and test it with no chance of causing harm. Despite all of that, and the even larger efforts of the wider community, HPKP adoption never really took off. My guess is that it never really took off because it could cause irreparable damage to your site if you deployed it wrong.
The ugly
I've written two articles that sum up my current views pretty well. The first was called Using security features to do bad things and talked about the problem of something called RansomPKP. It turns out that an attacker could take control of your website and use HPKP against you by deploying it and locking your visitors to their keys, from which there is no real way back. Whilst this attack only got a lot of air time more recently after being talked about at BlackHat and DEF CON, it is actually mentioned in the HPKP RFC itself in section 4.5, Hostile Pinning. On top of those issues, and despites all of the efforts outlined above, the basic fact remained that it was still difficult to deploy HPKP and lead me to ultimately declare I'm giving up on HPKP. The article itself goes into all the gritty details on why and this Twitter thread also has a really nice summary of my views.
See thread for my views on why HPKP is going and what's coming next: https://t.co/7xKBmCh4OR
— Scott Helme (@Scott_Helme) October 27, 2017
Can we save it?
Honestly, I don't think so. There are ways that we could take the mechanism and improve it to make it safer, sure, but they'd need a lot of collaboration, agreement and eventually support. That's all going to take time, a lot of time, all while the issues are still out there. Ivan Ristic asked the question Is HTTP Public Key Pinning Dead? back in Sep 2016 and even put forward two proposals to try and fix it just last month. Fixing HPKP with Pin Revocation and Fixing HPKP with Certificate Constraints are both steps in the right direction but they're literally the first step in a very long marathon. I also don't think we've seen HPKP abused to its full potential yet either.
Worst case scenario
As far as web standards go it's really new and I whilst I know many sites have committed HPKP suicide, we've not seen a ransom attack in the wild using it yet. A story caught my eye recently where multiple .io TLD nameserver domains became available for registration and fortunately for everyone with a .io domain this was spotted by a researcher. Had this not, and had an attacker been really malicious, they could quite easily take control of DNS, resolve domains, obtain certificates and activate HPKP in a fully automated fashion! We could have seen RansomPKP on an enormous scale. HPKP would allow the attacker to persist the damage for months after the attack had happened and been cleared up. I have to admit, that's a pretty daunting prospect. I did an episode on the Risky Business podcast with Patrick Gray recently titled HPKP as an attack vector and you can listen to that where I talk a little more about that idea.
Now we wait
It will be interesting to see how the wider community reacts to this news and how the deprecation plays out in Chrome. I'm sure that this news will give Firefox something to think about as the only other browser that supports HPKP as they could soon be the only browser that supports it. That's it for now but, as always, feedback and comments welcome below.