Slashdot Mirror
Google To Remove Public Key Pinning (PKP) Support In Chrome (bleepingcomputer.com)
An anonymous reader writes: Late yesterday afternoon, Google announced plans to deprecate and eventually remove PKP support from the Chromium open-source browser, which indirectly means from Chrome... According to Google engineer Chris Palmer, low adoption and technical difficulties are among the reasons why Google plans to remove the feature from Chrome.
"We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018," Palmer says. The proposal is up in the air, and users can submit opinions against Google's intent to deprecate, but seeing how little PKP was adopted, it's most likely already out the door. A Neustar survey from March 2016 had PKP deployment at only 0.09% of all HTTPS sites. By August 2017, that needle had barely moved to 0.4% of all sites in the Alexa Top 1 Million.
"We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018," Palmer says. The proposal is up in the air, and users can submit opinions against Google's intent to deprecate, but seeing how little PKP was adopted, it's most likely already out the door. A Neustar survey from March 2016 had PKP deployment at only 0.09% of all HTTPS sites. By August 2017, that needle had barely moved to 0.4% of all sites in the Alexa Top 1 Million.
deployment at only 0.09% of all HTTPS sites. By August 2017, that needle had barely moved to 0.4%
That's 444% growth. If PKP was a startup, its stock would surge.
I'd prefer, rather than key pinning, DANE and TLSA were adopted widely. That'd allow not only attaching a specific certificate to a site but running a site without needing to go to a third party for certificates. Combined with DNSSEC to prevent forgery of the DNS records involved it's more secure than the CA chain-of-trust because the site owner/operator's unlikely to issue his own certificates to malicious parties through error or negligence.