Oh my God, they killed HPKP!

This week Google went ahead and removed support for HTTP Public Key Pinning (HPKP) from Chromium after some initial stumbles. The change was committed and tagged for Chromium 72.0.x and can now be observed by users of Chrome Canary.

I’ve been serving visitors of this website a HPKP policy since April 2017, and I must admit I’m disappointed to see it being removed from Chromium. The argument against HPKP seems mainly to be that it’s too complicated and dangerous. That opinion prevailed as people were “copypastaing” HPKP example policies from around the web and thus unknowingly blocked access to their own web servers.

So why were people copying HPKP policies without understanding how the technology worked? Well, let’s blame security researcher Scott Helme who required websites to have a valid HPKP policy to achieve an A+ rating on his much vaunted Security Headers test. And as it turns out, people really REALLY wanted that A+ rating.

*Mr Helme has long since removed the HPKP requirement from his test.

But… Google removed HPKP support with the release of Chromium 69 right? Nope, all Chromium versions up to 72.0.x still support HPKP.

I think it’s unfortunate that powerful security features are removed simply because they could theoretically be abused (RansomPKP, really… who’s seen that?). I’m not saying HPKP isn’t flawed, but why not fix it instead of killing it off?

In related news, Mozilla Firefox is still supporting HPKP so go download that browser for some additional man-in-the-middle attack (MITM) protection where available.