What is HTTP Public Key Pinning and Why It’s Not Good to Practice
In the annals of bad human ideas, HTTP public key pinning, or what’s more commonly known as HPKP, ranks right up there with spray-on hair and two-in-one toilet/bidets. Without straying too far into the proverbial weeds, we’re going to lay out why you definitely shouldn’t be pinning your keys in this blog post.
And to be clear — just in case you don’t read past this sentence — don’t pin your keys. Simply put, HPKP is a terrible idea, and it’s more likely to break your website than lead to any meaningful improvement in security! Even Google agrees.
What is HTTP Public Key Pinning?
Generally, when a client arrives at a server, it will use the public key associated with the certificate(s) it’s presented with. This generally means the end-user or leaf certificates and any intermediates involved in the certificate chain. But what if you wanted visitors to your website to use a specific key with those certificates instead of just whichever one is presented to them?
Enter http public key pinning, HPKP, or whatever you’d prefer to call it. This allows you to “pin” the keys of your choice in an HTTP header for use with your website’s certificates. In sophisticated enterprise environments, there’s a place for this kind of HTTP public key pinning header configuration. For 99.9% of websites, though, this just adds a needless layer of complexity that doubles as a ticking time bomb.
What Can Go Wrong with HPKP?
In a single word? Everything. If you don’t know what you’re doing, that is.
With a standard configuration, any time key rotation is performed, you simply update the certificate that server handles the deliver of the public key. HPKP removes this convenience and replaces it with an onerous requirement to unpin and re-pin keys until you’ve configured it to your liking. Again, good if you know what you’re doing. Bad if you just want things to work.
Inevitably, someone will forget to pin a rotate key — or unpin one — and it’s going to cause SSL errors that will prevent visitors from reaching your website. Look, we don’t need to tell you how bad having your site break would be. You know, the whole “costly downtime, lost service, dissatisfied customers, and damaged reputation” thing. We’ve written about some of the errors that can result from the practice of key pinning.
Suffice it to say, key pinning is an open invitation to these problems.
How Do I Avoid HPKP Problems?
Abstinence. Do not pin your keys — period. Everything will still work perfectly fine without pinning your keys. In fact, they’ll work better. Not pinning keys makes rotating keys and swapping certificates substantially easier.
So, long story short: avoid certificate and public key pinning.
Last updated