This is a text-only version of the following page on https://raymii.org: --- Title : Chrome 68 is depcrecating HPKP (HTTP Public Key Pinning) Author : Remy van Elst Date : 12-06-2018 URL : https://raymii.org/s/blog/Chrome_68_is_deprecating_HPKP.html Format : Markdown/HTML --- ### HPKP removed from Chrome 68 ![][1] In 2014 I [published an article on HPKP][2], http public key pinning. It allows a site operator to send a public key in an http header, forcing the browser to only connect when that header is found. It was ment to redice the risk of a compromised certificate authority (since any CA can create a certificate for any website). Quite secure, but it was often wrongly configured, forgotten until certificates expired and there were some security issues like a false pin. Late 2017 Google announced that HPKP would be removed in Chrome 68 and that version is released now, so HPKP is no longer supported. A certificate authority, like Comodo, because they are trusted by every browser, can issue a certificate for any site (so google.com, raymii.org). But, the Netherlands Government ([Staat der Nederlanden][3]) or the [Hong Kong Post office][4] (China government) are trusted as well, thus are also able to issue a certificate for google.com. Now, there are all kinds of rules prohibiting that, but as [I've shown][5] by getting a certificate for a website I don't own, just as [this guy for Microsoft Live.fi][6], that it is prohibited by rules doesn't mean it is not technically possible. HPKP was meant to prevent that, by hardcoding a certificate for your site into a browser. <p class="ad"> <b>Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:</b><br><br> <a href="https://leafnode.nl">I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!</a><br><br> <a href="https://github.com/sponsors/RaymiiOrg/">Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.</a><br><br> <a href="https://www.digitalocean.com/?refcode=7435ae6b8212">You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. </a><br><br> </p> The [Google development announcement can be found here][8], where they describe and discuss the intent to remove the feature from chrome. [ZDNET][9] has an article going into more detail on what goes wrong when you forgot about Key Pinning when a certificate expires: > This scenario happened to [Smashing Magazine][10] when it was updating an expiring SSL certificate. It enabled HPKP and set the policy for 365 days. After rolling out new valid certificates, all browsers with the old HPKP policy couldn't visit the site. Also, the new HPKP policy did nothing to update the old one. ### Replacement for HPKP, Expect-CT header? Google wants the [Expect-CT][11] header to replace HPKP. This header allows web host operators to instruct user agents (browsers) to expect valid Signed Certificate Timestamps (SCTs) to be served on connections to these hosts. When configured in enforcement mode, user agents (UAs) will remember that hosts expect SCTs and will refuse connections that do not conform to the UAs Certificate Transparency policy. There is no automatic detection of invalid certificates or rouge certificates. As far as I understand you must configure and monitor the CT logs yourself to find rouge certificates. I use [this site][12] and get emails when a certificate for a certain domain is found. [This page][13] has a little bit more on the replacement: > By combining Expect-CT with active monitoring for relevant domains, which a growing number of CAs and third-parties now provide, site operators can proactively detect misissuance in a way that HPKP does not achieve, while also reducing the risk of misconfiguration and avoiding the risk of hostile pinning, (Chris) Palmer said. Google's Certificate Transparency project is an open framework for monitoring and auditing SSL certificates. The goal behind the project is detection of mis- issued/malicious certificates and identification of rogue Certificate Authorities. Read more about the [Expect-CT header in the RFC][14]. To read more about Certificate Transparency, [check the site here][15]. As I'm unsure on how the actual header works, for example what defines when an error is given, I'm not recommending it yet, until I've done more research. ### Removing HPKP on raymii.org I removed HPKP about half a year ago from the servers [hosting raymii.org][16]. First by setting the `max-age` portion of the header to `0`, that tells existing browsers that have HPKP cached to invalidate the known time. Otherwise, when changing the certificate, the browser would still have old information thus giving errors. After 4 months, I actually changed the webserver configuration to remove the HPKP headers: $ curl -I https://raymii.org HTTP/2 200 server: nginx/1.10.3 (Ubuntu) date: Tue, 12 Jun 2018 09:39:01 GMT content-type: text/html content-length: 376 last-modified: Tue, 05 May 2015 17:21:00 GMT etag: "5548fbfc-178" expires: Thu, 12 Jul 2018 09:39:01 GMT cache-control: max-age=2592000 strict-transport-security: max-age=63072000; includeSubdomains; preload referrer-policy: origin x-xss-protection: 1; mode=block coffee: Black tea: Earl-Gray; Hot x-frame-options: DENY x-content-type-options: nosniff x-ua-compatible: IE=Edge,chrome=1 cache-control: public accept-ranges: bytes As you can see, no `Public-Key-Pins` header. If you have HPKP and want to remove it, make sure to first set the time to `0` and let that run for a few months. [1]: https://raymii.org/s/inc/img/chrome_68.png [2]: https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html [3]: https://en.wikipedia.org/wiki/PKIoverheid [4]: https://bugzilla.mozilla.org/show_bug.cgi?id=408949 [5]: https://raymii.org/s/blog/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html [6]: http://web.archive.org/web/20180612111006/https://arstechnica.com/information-technology/2015/03/man-who-obtained-windows-live-cert-said-his-warnings-went-unanswered/ [7]: https://www.digitalocean.com/?refcode=7435ae6b8212 [8]: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ [9]: http://web.archive.org/web/20180612110541/https://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/ [10]: https://www.smashingmagazine.com/be-afraid-of-public-key-pinning/ [11]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT [12]: https://ctadvisor.lolware.net/ [13]: http://web.archive.org/web/20180612100401/https://threatpost.com/google-to-ditch-public-key-pinning-in-chrome/128679/ [14]: http://web.archive.org/web/20180612095804/http://httpwg.org/http-extensions/expect-ct.html [15]: http://www.certificate-transparency.org/how-ct-works [16]: https://raymii.org/s/software/Sparkling_Network.html --- License: All the text on this website is free as in freedom unless stated otherwise. This means you can use it in any way you want, you can copy it, change it the way you like and republish it, as long as you release the (modified) content under the same license to give others the same freedoms you've got and place my name and a link to this site with the article as source. This site uses Google Analytics for statistics and Google Adwords for advertisements. You are tracked and Google knows everything about you. Use an adblocker like ublock-origin if you don't want it. All the code on this website is licensed under the GNU GPL v3 license unless already licensed under a license which does not allows this form of licensing or if another license is stated on that page / in that software: This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. Just to be clear, the information on this website is for meant for educational purposes and you use it at your own risk. I do not take responsibility if you screw something up. Use common sense, do not 'rm -rf /' as root for example. If you have any questions then do not hesitate to contact me. See https://raymii.org/s/static/About.html for details.