[0] https://tools.ietf.org/html/rfc7469 [1] https://www.chromestatus.com/feature/5903385005916160 [2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning [3] https://tools.ietf.org/html/rfc6844 [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438 [5] Coincidentally, version 72 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
The breadth of the web public key infrastructure (PKI) is both an asset
and a risk. Websites have a wide range of certificate authorities (CAs)
to choose from to obtain certificates for their domains. As a
consequence, attackers also have a wide range of potential targets to
try to exploit to get a mis-issued certificate. The HTTP Public Key
Pinning (HPKP) [0] header was intended to allow individual sites to
restrict the web PKI to a subset as it applies to their domains, thus
decreasing their exposure to compromised CAs.
Unfortunately, HPKP has seen little adoption, largely because it has
proved to be too dangerous to use. There are a number of scenarios that
can render websites inoperable, even if they themselves don't use the
header. Chrome removed support for it in version 72 in January of this
year [1]. According to our compatibility information, Opera, Android
webview, and Samsung Internet are the only other implementations that
support the header [2]. At this point, it represents too much of a risk
to continue to enable in Firefox.
A related mechanism, DNS Certification Authority Authorization (CAA)
[3], also allows websites to restrict which CAs can issue certificates
for their domains. This has seen much larger adoption and does not
suffer from the drawbacks of HPKP.
Earlier today, bug 1412438 [4] landed in Firefox Nightly [5] to disable
HPKP via a preference. New HPKP headers will not be processed, and
previously-cached HPKP information will not be consulted.
The static list of key pinning information that ships with Firefox is
still enabled, and these pins will still be enforced.
- intent to unship: HPKP (dynamic key pinning) Dana Keeler
- Re: intent to unship: HPKP (dynamic key pinning) Tom Ritter
- Re: intent to unship: HPKP (dynamic key pinning) Dana Keeler
- Re: intent to unship: HPKP (dynamic key pinning) alex . gaynor
