HTTP Public Key Pinning

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

HTTP Public Key Pinning (HPKP) is an Internet security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent digital certificates.[1] It does this by delivering a set of public keys to the client (e.g. web browser), which should be the only ones trusted for future connections to the same domain name.

For example, attackers might compromise a certificate authority, and then mis-issue certificates for a web origin. To combat this risk, the HTTPS web server serves a list of “pinned” public key hashes valid for a given time; on subsequent connections, during that validity time, clients expect the server to use one or more of those public keys in its certificate chain. If it does not, an error message is shown, which cannot be (easily) bypassed by the user.

Contrary to a common belief, the technique does not pin certificates, but public keys. This means that one can use the key pair to get a certificate from any certificate authority, when one has access to the private key. Alternatively also the public keys of root or intermediate certificates (created by certificate authorities) can be pinned, which would subsequently allow all certificates issued by this certificate authority.

The mechanism was deprecated by the Google Chrome team in late 2017 because of its complexity and dangerous side-effects. Google recommends using the Expect-CT as a safer alternative.[2][3]


The server communicates the HPKP policy to the user agent via an HTTP response header field named Public-Key-Pins (or Public-Key-Pins-Report-Only for reporting-only purposes).

The HPKP policy specifies hashes of the subject public key info of one of the certificates in the website's authentic X.509 public key certificate chain (and at least one backup key) in pin-sha256 directives, and a period of time during which the user agent shall enforce public key pinning in max-age directive, optional includeSubDomains directive to include all subdomains (of the domain that sent the header) in pinning policy and optional report-uri directive with URL where to send pinning violation reports. At least one of the public keys of the certificates in the certificate chain needs to match a pinned public key in order for the chain to be considered valid by the user agent.

At the time of publishing, RFC 7469 only allowed the SHA-256 hash algorithm. Hashes for HPKP policy can be generated by shell commands mentioned in Appendix A. of RFC 7469 or third-party tools.

A website operator can choose to either pin the root certificate public key of a particular root certificate authority, allowing only that certificate authority (and all intermediate authorities signed by its key) to issue valid certificates for the website's domain, and/or to pin the key(s) of one or more intermediate issuing certificates, or to pin the end-entity public key.

At least one backup key must be pinned, in case the current pinned key needs to be replaced. The HPKP is not valid without this backup key (a backup key is defined as a public key not present in the current certificate chain).[4]

HPKP is standardized in RFC 7469.[1] It expands on static certificate pinning, which hardcodes public key hashes of well-known websites or services within web browsers and applications.[5]

Most browsers disable pinning for certificate chains with private root certificates to enable various corporate content inspection scanners[6] and web debugging tools (such as mitmproxy or Fiddler). The RFC 7469 standard recommends disabling pinning violation reports for "user-defined" root certificates, where it is "acceptable" for the browser to disable pin validation.[7]


If the user agent performs pin validation and fails to find a valid SPKI fingerprint in the served certificate chain, it will POST a JSON formatted violation report to the host specified in the report-uri directive containing details of the violation. This URI may be served via HTTP or HTTPS; however, the user agent cannot send HPKP violation reports to an HTTPS URI in the same domain as the domain for which it is reporting the violation. Hosts may either use HTTP for the report-uri, use an alternative domain, or use a reporting service.[8]

Some browsers also support the Public-Key-Pins-Report-Only, which only triggers this reporting while not showing an error to the user.

Browser support and deprecation[edit]

HPKP is supported in Firefox and Opera[9] but not in Internet Explorer/Edge.[10] Chrome deprecated HPKP with the release of Chrome 67.[11]

See also[edit]


  1. ^ a b Evans, Chris; Palmer, Chris; Sleevi, Ryan (April 2015). Public Key Pinning Extension for HTTP. IETF. doi:10.17487/RFC7469. ISSN 2070-1721. RFC 7469.
  2. ^ Leyden, John. "RIP HPKP: Google abandons public key pinning". The Register. Retrieved 2018-12-18.
  3. ^ Tung, Liam. "Google: Chrome is backing away from public key pinning, and here's why". ZDNet. Retrieved 2018-12-18.
  4. ^ "About Public Key Pinning". Retrieved 2015-05-07.
  5. ^ "Certificate and Public Key Pinning - OWASP". Retrieved 2015-05-07.
  6. ^ "Security FAQ - The Chromium Projects". Retrieved 2015-07-07.
  7. ^ "RFC 7469 - Public Key Pinning Extension for HTTP". Retrieved 2015-07-07.
  8. ^ "HPKP Violation Reporting". Scott Helme.
  9. ^ "HTTP Public Key Pinning (HPKP)". Mozilla Developer Network. Retrieved 2017-05-27.
  10. ^ "The status of Public Key Pinning Extension for HTTP in Microsoft Edge is Under Consideration". Microsoft Edge Development.
  11. ^ "Deprecations and removals in Chrome 67". Google Developers.

External links[edit]