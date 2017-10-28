Google To Remove Public Key Pinning (PKP) Support In Chrome (bleepingcomputer.com) 5
An anonymous reader writes: Late yesterday afternoon, Google announced plans to deprecate and eventually remove PKP support from the Chromium open-source browser, which indirectly means from Chrome... According to Google engineer Chris Palmer, low adoption and technical difficulties are among the reasons why Google plans to remove the feature from Chrome.
"We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018," Palmer says. The proposal is up in the air, and users can submit opinions against Google's intent to deprecate, but seeing how little PKP was adopted, it's most likely already out the door. A Neustar survey from March 2016 had PKP deployment at only 0.09% of all HTTPS sites. By August 2017, that needle had barely moved to 0.4% of all sites in the Alexa Top 1 Million.
444% growth (Score:2)
deployment at only 0.09% of all HTTPS sites. By August 2017, that needle had barely moved to 0.4%
That's 444% growth. If PKP was a startup, its stock would surge.
hpkp 'backup' certs - 'insurance' (Score:2)
Why would a site buy tls certs from a ca and not use them? - eg an active and backup ca provider since better tls certs have 'insurance' quite how you claim it is another matter.
Sure letencrypt made it easier to have a backup ca (random certs mean you need to apparently edit your but hpkp config often for hashes seems that hpkp is disaster.
If you did not have a backup ca (caa record needs to reflect it also) then hpkp is deemed incomplete. I can see reasons.
DANE and TLSA (Score:3)
I'd prefer, rather than key pinning, DANE and TLSA were adopted widely. That'd allow not only attaching a specific certificate to a site but running a site without needing to go to a third party for certificates. Combined with DNSSEC to prevent forgery of the DNS records involved it's more secure than the CA chain-of-trust because the site owner/operator's unlikely to issue his own certificates to malicious parties through error or negligence.