HTTP Public Key Pinning (HPKP) is an obsolete Internet security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using misissued or otherwise fraudulent digital certificates.[1] A server uses it to deliver to the client (e.g. web browser) a set of hashes of public keys that must appear in the certificate chain of future connections to the same domain name.
For example, attackers might compromise a certificate authority, and then mis-issue certificates for a web origin. To combat this risk, the HTTPS web server serves a list of “pinned” public key hashes valid for a given time; on subsequent connections, during that validity time, clients expect the server to use one or more of those public keys in its certificate chain. If it does not, an error message is shown, which cannot be (easily) bypassed by the user.
The technique does not pin certificates, but public key hashes. This means that one can use the key pair to get a certificate from any certificate authority, when one has access to the private key. Also the user can pin public keys of root or intermediate certificates (created by certificate authorities), restricting site to certificates issued by the said certificate authority.
Due to HPKP mechanism complexity and possibility of accidental misuse (potentially causing a lockout condition by system administrators), in 2017 browsers deprecated HPKP and in 2018 removed its support in favor of Certificate Transparency.[2][3]
^Evans, Chris; Palmer, Chris; Sleevi, Ryan (April 2015). Public Key Pinning Extension for HTTP. IETF. doi:10.17487/RFC7469. ISSN 2070-1721. RFC 7469.
^Leyden, John (2017-10-30). "RIP HPKP: Google abandons public key pinning". The Register. Retrieved 2018-12-18.
^Tung, Liam (2017-10-30). "Google: Chrome is backing away from public key pinning, and here's why". ZDNet. Retrieved 2018-12-18.
and 20 Related for: HTTP Public Key Pinning information
HTTPPublicKeyPinning (HPKP) is an obsolete Internet security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation...
Google-operated TLD included in the HSTS preload-list by default HTTPPublicKeyPinning "Strict-Transport-Security". MDN Web Docs. Mozilla. Archived from...
Pinning may refer to: Pinning, the effect of certain weapons that cause their targets to be pinned down Pinning ceremony (nursing), a symbolic welcoming...
mechanisms, including Certificate Transparency to track mis-issuance, HTTPPublicKeyPinning and DANE to block mis-issued certificates on the client-side, and...
Firefox HTTP Switchboard – user defined CSP rules, extension for Google Chrome and Opera HTTP Strict Transport Security HTTPPublicKeyPinning Sid Stamm...
used to encrypt PIN information acquired by Point-Of-Sale (POS) devices. DUKPT is not itself an encryption standard; rather it is a key management technique...
signing, the cryptographic material is asymmetric key pairs (and certificates) used in public-key cryptography. With other applications, such as data...
can use keyloggers on public computers to steal passwords or credit card information. Most keyloggers are not stopped by HTTPS encryption because that...
Object Viewer Archived 2011-04-30 at the Wayback Machine http://www.ivygateblog.com/?s=scroll+and+key, see membership lists A cross-reference with recent members...
instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible. The TLS protocol aims primarily to provide security...
binding between a publickey and its owner. Its decentralized trust model is an alternative to the centralized trust model of a publickey infrastructure...
locations like railroad and public utility installations. The original Abloy Classic design consists of a notched semi-cylindrical key, and a lock with detainer...
staple of the key stylistic components of pin and boudoir photography throughout the 20th century. Soldiers would keep mementos of pin up photos in their...
use a "publickey" to encrypt a message and a related "private key" to decrypt it. The advantage of asymmetric systems is that the publickey can be freely...
FinTS-specification is publicly available on a website run by the ZKA (Central Credit Committee). Support for online-banking using PIN/TAN one time passwords...
transactions is encrypted using public-key cryptography; some web browsers display a locked padlock icon while using the HTTPS protocol. Love locks are physical...
Global Information