Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

RIP HPKP: Google abandons public key pinning

No home in Chrome

Google is abandoning a next-generation web crypto technology it initially championed.

HTTP Public Key Pinning (HPKP) is a standard that allows a host to instruct browsers to only accept certain public keys when communicating with it for a given period of time. While HPKP can offer a lot of protection, the technology was open to potential abuse by hackers or accidental lockout if sysadmins misapplied it, as previously reported on The Register.

In a blog post last week, Google's Chris Palmer announced plans to deprecate HPKP support by Chrome from May next year – when Chrome 67 is slated to be released to Stable – before removing it entirely at some as yet unspecified date.

Google introduced HPKP support for Chrome around two years ago back in September 2015. Edge and Safari have never supported HPKP and the removal of support by other browser software makers is not anticipated to cause any major upheavals.

"There is no compatibility risk; no website will stop working as a result of the removal of static or dynamic PKP," according to Palmer who goes on to suggest possible alternatives to HPKP. "To defend against certificate misissuance, web developers should use the Expect-CT header, including its reporting function. Expect-CT is safer than HPKP due to the flexibility it gives site operators to recover from any configuration errors, and due to the built-in support offered by a number of CAs.”

Security researchers including Scott Helme previously criticised the technology as too cumbersome for mainstream use even among security-conscious organisations. Ivan Ristic of SSL Labs argued that HPKP was problematic because it failed to include a recovery mechanism rather than being an inherently bad idea.

“Two HPKP disappointments. First, that a half-baked standard got deployed to production. Second, [the] decision to kill it, rather than fix it,” Ristic said in reaction to Google’s decision. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like