HTTP Public Key Pinning

HTTP Public Key Pinning (HPKP) is an Internet security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. In order to do so, it delivers a set of public keys to the client (browser), which should be the only ones trusted for connections to this domain.

For example, attackers might compromise a certificate authority, and then mis-issue certificates for a web origin. To combat this risk, the HTTPS web server serves a list of “pinned” public key hashes valid for a given time; on subsequent connections, during that validity time, clients expect the server to use one or more of those public keys in its certificate chain. If it does not, an error message is shown, which cannot be (easily) bypassed by the user.

Contrary to a common belief, the technique does not pin certificates, but public keys. This means that one can use the key pair to get a certificate from any certificate authority, when one has access to the private key. Alternatively also the public keys of root or intermediate certificates (created by certificate authorities) can be pinned, which would subsequently allow all certificates issued by this certificate authority.

The mechanism was deprecated by the Google Chrome team in late 2017 because of its complexity and dangerous side-effects. Google recommends using the Expect-CT as a safer alternative.

Courtesy of Wikipedia

Cumberland Computer Services., LLC
205-467-4055
https://cumberlandcomputerservices.com/