Review:
Http Public Key Pinning (hpkp)
overall review score: 2.5
⭐⭐⭐
score is between 0 and 5
HTTP Public Key Pinning (HPKP) was a security mechanism designed to prevent impersonation attacks by allowing HTTPS websites to specify which public keys should be considered valid for future connections. It involves the server transmitting a set of cryptographic pins, which browsers remember and enforce, ensuring that only the specified keys are used in subsequent connections. HPKP aimed to reduce risks associated with compromised or misissued SSL/TLS certificates but required careful implementation to avoid creating permanent lockouts.
Key Features
- Allows servers to specify trusted public keys via pins
- Helps protect against man-in-the-middle and impersonation attacks
- Works through HTTP headers that browsers interpret and store
- Provides long-term pinning policies if properly maintained
- Requires careful management to avoid accidental lockouts
- Supported by major browsers but deprecated in many due to risks
Pros
- Enhances security by reducing trust in unauthorized third-party certificates
- Adds an extra layer of protection for sensitive communications
- Can prevent certain types of CA compromise attacks
Cons
- Implementation complexity and risk of misconfiguration leading to site inaccessibility
- Decreased support and deprecation in major browsers (e.g., Chrome, Firefox)
- Requires careful key rotation planning and maintenance
- Potential for permanent locking if pins are not updated correctly
- Limited adoption has reduced its overall effectiveness