Google will remove Public Key Pinning (PKP) support in Chrome browser

On the afternoon of October 28, Google announced that it would remove PKP support in the Chromium open source browser (which also means deleting Chrome).

PKP - short for Public Key Pinning, is a system described in IETF RFC-7469 that webmasters can use with HTTPS websites.

PKP (also known as HPKP) allows operators to set HTTP headers for their websites. When the user first connects to the site, the PKP header will let the user's browser download a list of public keys created based on the site's HTTPS certificate.

When the user returns to the site, the browser will take one of those keys and try to verify that it matches the site's current HTTPS certificate.

If an attacker tries to impersonate a legitimate domain name and is using a valid HTTPS certificate, the PKP keys will not match and the browser will block the user from viewing the site, assuming it is a fraud or a fraud. Other toxic.

When it was first released, security experts applauded PKP as a welcome security layer and website operators could deploy it to support HTTPS.

However, in practice, PKP is difficult to implement and any errors in PKP setup can lead to incalculable consequences. Errors will cause the user to download an invalid key or the site has another certificate, preventing users from accessing the URL hourly, daily and even monthly. For websites that rely on advertising traffic to pay bills for servers, PKP will become a real problem. That's why many webmasters don't use it anymore.

Google plans to remove PKP in Chrome 67 version in May 2018

According to Google engineer Chris Palmer, technical difficulties are the reason Google plans to remove this feature from Chrome.

Palmer said: We will do this in Chrome 67, scheduled to be released in the Stable version on May 29, 2018.

This is just Google's intention, users can give opinions against the company's decision but it is likely that PKP will still not be approved.