HPKP is no more!

It's been an interesting ride over the last few years but HPKP, or HTTP Public Key Pinning, is finally coming to the end of its tenure. With support now gone in the last remaining browser, HPKP has been consigned to the scrap heap.



HPKP

I first wrote about HPKP back in January 2015 with my introductory blog post, HPKP: HTTP Public Key Pinning. It is (was) an incredibly powerful mechanism that allowed a level of protection that couldn't be achieved in any other way, but as the saying goes, 'with great power comes great responsibility'.

It's fair to say I was a fan of HPKP, I added support for reports on Report URI, demonstrated what validation failures looked like, created an extensive toolset to help sites deploy HPKP and even wrote further guidance on setting up HPKP. But, with all powerful features intended to do good, someone wants to do bad with them too. There were some quite bad things that you could do with HPKP and when they include terms like HPKP Suicide or Ransom PKP, you can start to get a little idea of just how bad. One year on from that blog post and after many observations that HPKP was causing more problems than it solved, I announced I was giving up on HPKP.

As part of my move away from HPKP it was removed from the grading on Security Headers and just a month later, Chrome announced they were deprecating HPKP. Was this the death knell for HPKP? At its peak we saw around 3,500 sites in the Top 1 Million sites on the web using HPKP but that number has now tumbled to around 650 sites in recent months. It's probably going to tumble even further in the coming months.


Firefox is deprecating HPKP

The bug to first consider removing support for HPKP in Firefox was opened 2 years ago! Since then you can see that there has been a little discussion around the topic but in the end, HPKP was removed in Firefox 72, meaning it is no more.



Those looking to replace some of functionality of HPKP can turn to Certificate Transparency and Certificate Authority Authorisation instead. Whilst those 2 mechanisms combined don't quite cover all of the features of HPKP, they can get us quite close and without any of the risks involved. I will be talking about one more feature we can look forward to in an upcoming blog so check back soon to see details about that.


Removing HPKP Reports from Report URI

It's kind of sad to see HPKP go, especially as CSP and HPKP reports were the opening features of Report URI as a service, but it is time. With Firefox removing support for HPKP there is now no browser that will send these reports, so it's time for them to be removed from the site. In the comings days you will notice HPKP disappear from the site and we will no longer process any HPKP reports that are sent, perhaps from older browsers that have not yet been updated.



There are still quite a number of sites out there delivering either the PKP or PKPRO header and you can see a list for both of those over on my other project site, Crawler.Ninja. Here is the direct link to those sites delivering the PKP header and those sites delivering the PKPRO header. These sites should now consider disabling these headers.