Google will remove Public Key Pinning (PKP) support in Chrome browser

On the afternoon of October 28, Google announced that it would remove PKP support in the Chromium open source browser (which also means deleting Chrome).

PKP - short for Public Key Pinning, is a system described in IETF RFC-7469 that webmasters can use with HTTPS websites.

PKP (also known as HPKP) allows operators to set HTTP headers for their websites. When the user first connects to the site, the PKP header will let the user's browser download a list of public keys created based on the site's HTTPS certificate.

When the user returns to the site, the browser will take one of those keys and try to verify that it matches the site's current HTTPS certificate.

If an attacker tries to impersonate a legitimate domain name and is using a valid HTTPS certificate, the PKP keys will not match and the browser will block the user from viewing the site, assuming it is a fraud or a fraud. Other toxic.

When it was first released, security experts applauded PKP as a welcome security layer and website operators could deploy it to support HTTPS.

Google will remove Public Key Pinning (PKP) support in Chrome browser Picture 1 Google will remove Public Key Pinning (PKP) support in Chrome browser Picture 1

However, in practice, PKP is difficult to implement and any errors in PKP setup can lead to incalculable consequences. Errors will cause the user to download an invalid key or the site has another certificate, preventing users from accessing the URL hourly, daily and even monthly. For websites that rely on advertising traffic to pay bills for servers, PKP will become a real problem. That's why many webmasters don't use it anymore.