Arthur Musgrove Home

HTTP Public Key Pinning is Effectively Dead

Synopsis: HTTP Public Key Pinning is a controversial security standard created and championed by Google and now abandoned by them, with Firefox and Opera likely not far behind. It was meant to mitigate one attack method, but created an even more dangerous one in the process.

Updated: 3/June/2018

What problem does HPKP attempt to solve?

Internet communications are secured by TLS/SSL usually using the https protocol. This encryption ensures that an attacker cannot eavesdrop on communication. The encryption depends on certificates that confirm a site is who it says it is and provides the entry codes to the mathematical process used to encrypt the communication.

If an attacker is able to replace the certificate either on the server itself, or at any point along the way, an attacker could masquerade as a legitimate site and intercept or even modify traffic. To understand a key risk HPKP is used to address, you need to understand the concept of a Man-in-the-Middle Attack.

Man-in-the-Middle (MITM) Attacks

The way TLS/SSL encrypted communication usually works on the Internet is that a server sends its public key to the client, the client performs some validation on that key (primarily that it is signed by a trusted certificate authority), and then uses that certificate as input into the mathematical and process steps to establish an encrypted channel to the server so your communication cannot be intercepted.

This article is not going to be a tutorial on cryptography, if you are unfamiliar with encryption certificates, on the address bar of the browser on which you are reading this article, you should see a lock symbol, indicating your communication is secure. Depending on your browser, you should be able to click on that lock and select "show certificate" or something similar. If you select that you will see that the certificate for was signed by the Amazon Root Certificate Authority. That Root CA is one of the certificates that is built into your browser, and the reason your browser will trust the certificate, which it never saw before, is it is signed by the Amazon Root CA, which is a certificate that your browser trusts and trusts to vouch for other certificates.

In a Man-in-the-Middle Attack, there is an intermediate point between the server and the client. The intermediate point establishes the channel to the server using the server's legitimate certificate, then establishes the secure communication with the client using a different certificate. Usually this is attempted with a malicious, self-signed certificate and the browser warns the user, but if the user accepts the warning (user's more often than you'd believe will) or the attacker uses a legitimately signed certificate on a very similar looking domain, then they can sit in the middle of the communication watching or even manipulating communication. You can see how devastating that type of attack can be!

What did HPKP do?

With HPKP, you could tie your site to a specific certificate, or more usually a signing certificate authority, for a period of time. This means if an attacker were able to compromise your site with a new certificate, or able to conduct a successful MITM attack, the client would simply refuse to operate.

It does this by implementing the header Public-Key-Pins. This header sends a set of hashes of acceptable certificates as well as a period of time the client should only use these certificates. It does this with a 'trust first' strategy. The first time the Public-Key-Pins header is received, the client 'learns' the proper signatures, and until it expires will only use security certificates with those signatures.

What is the problem?

The key problem with HPKP, beyond its ability to brick websites in case of certificate or CA changes, is that it opened up the ability of an attack to hijack a site and ransom it back to the owner. If an attacker could insert it's own certificate and convince clients to pin it for 2 years, there was little an owner could do to undo that action.

After that, there are multiple types of malicious things an attacker could do. All of them though boil down to selling you the certificate that was now pinned in all clients to your site, and threaten to effectively brick your site if you refused to pay up.

Does HPKP have a future?

No. There have been a series of fixes proposed, but all are complex and introduce their own problems or weaken the original intent so much as to make the standard pointless. HPKP was never supported in Safari, IE or Edge. With Chrome dropping it, while it is still supported in Firefox and Opera, it's hard to believe they will not drop support soon.

The idea was good and the problem it addressed real, but as sometimes happens, in this case the cure was worse than the disease.