back to article GTFO of there! Security researchers turn against HTTP public key pinning

Security researchers have endorsed industry guru Scott Helme's vote of no confidence in a next-generation web crypto technology. Helme said he was "giving up on HPKP" after experimenting with the tech and ultimately finding it too cumbersome for mainstream use even among security-conscious organisations. HTTP Public Key …

  1. Chronos


    It actually makes more sense to pin further up the chain. For example, if I pin to Thawte's intermediate, it's a clear, unequivocal message that I use Thawte (I don't, and other CAs are available) and a certificate issued by, say, Wosign (fat chance) is going to be malicious.

    That way you can revoke, regenerate and reconfigure at whim as long as your trust chain remains unbroken.

    1. Anonymous Coward Silver badge

      Re: Trust

      Great idea, but it only makes sense if:

      1) Your chosen CA will never issue a certificate in error (not pointing any fingers at wosign specifically) and

      2) You stick with the same CA for long enough. I've changed CA pretty much every renewal as they all have introductory offers that make the certs a reasonable price, but at renewal time it's "standard pricing" which is ludicrously expensive (looking at godaddy in particular). Naturally LetsEncrypt is now viable so this may not be an issue in future, but how much faith do you put in such an organisation to stick around?

      It's not that I'm paranoid, but I simply don't trust the tin-foil manufacturers to offer enough head protection.

      1. batfastad

        Re: Trust

        I wish changing CAs was that easy. Unfortunately trying to get the intermediate/bundle that matches the exact cert product you've bought normally means a trawl through far too many of the CA's KB pages.

        1. Anonymous Coward
          Anonymous Coward

 to the rescue

          Grabs the intermediate from the CA. As always check the resulting cert with or to make sure it's all above board.

          Or check GitHub to make sure the code is correct

    2. EnviableOne

      Re: Trust

      isnt that just CAA which is already implemented in DNS

  2. John Robson Silver badge

    Still think DNSSEC gives us the better solution here...

    If you run HTTPS then publish your cert in your DNSSEC authenticated DNS records.

    It's not necessarily fully sideband communication, but it's pretty close to it.

    If I can't find your cert in your DNS then I have to trust the CA, if I can find it then it could even be self signed (I do need to trust the holders of the root DNS keys, and the chain below that, but I think they have demonstrated themselves more trustworthy than most of the CA's baked into all our browsers).

    To be fair - this could be combined with the above idea (Chronos) and put the CA cert in your DNS...

    You need to keep some eye on when that changes, but you need to do that what/how-ever you are pinning.

    1. Aodhhan

      Re: Still think DNSSEC gives us the better solution here...

      You realize you're speaking of DANE. It doesn't exactly run with HTTPS; more specifically it works with the TLS protocol.

      However there are some problems using this method on the client side of operations since most application APIs aren't coded to handle this method of adding security to TLS.

      1. John Robson Silver badge

        Re: Still think DNSSEC gives us the better solution here...

        DANE it is then - I'm surprised it took 7 years to get from DNSSEC to DANE, it took me about 30 seconds to realise that it was a pretty damned good way to distribute public keys. (I stopped actively mentioning it and looking for it about 7-8 years ago (job change)).

        DANE support being baked into browsers would make life much easier for many people. I could pin the top level let's encrypt CAs and forget about it for a long while.

        We could also drop most of the root CAs from browsers (or at least devalue them to orange padlocks or something, until explicitly trusted (per site or globally?))

        As mentioned below - the CAA record does some of the same, although the actual keys are still not explicitly presented.

  3. Drew 11

    Perhaps now Google and Mozilla can drop the "pinning is better" line and finally bake DANE into their browser software?


    1. Anonymous Coward
      Anonymous Coward

      Google's objection was that DNSSEC's key length was too short. That's going up to 2048 bit next month, so hopefully we can get DANE.

  4. sitta_europea Silver badge

    But the banks haven't even done DNSSEC yet...

  5. Beech Horn

    Quite like DNS CAA

    Lets you restrict the authorities, can be updated and further secured with DNSSEC. CAA records combined with CT gets my vote over HPKP, especially as Lets Encrypt doesn't support it.

  6. Mookster


    The mechanism is there, browsers don't use it - FFS they're online. A couple of extra extensions, to tell the next cert' if the current has expired, and bob's your uncle.

  7. John Smith 19 Gold badge

    "The real mistake was the design,..assumes mistakes won't recovery mechanism."

    That right there suggests a very good reason not to touch it with a barge pole.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon