HTTPS

Late yesterday afternoon, Google announced plans to deprecate and eventually remove PKP support from the Chromium open-source browser, which indirectly means from Chrome.

PKP, which stands for Public Key Pinning, is a system described in IETF RFC-7469 that webmasters can use with HTTPS sites.

PKP, also referred to as HPKP, allows a site operator to set an HTTP header for his site. When users connect to the website for the first time, the PKP header tells the user's browser to download a list of public keys generated against the site's HTTPS certificate.

When the user comes back to the site again, the browser will take one of the keys and attempt to verify if it matches the site's current HTTPS certificate.

If an attacker has managed to spoof a legitimate domain and is using a valid HTTPS certificate, PKP keys will not match, and the browser will block the user from viewing the site, believing it's phishing, a scam, or another malicious impersonator.

PKP was a problematic security feature

When it launched, security experts hailed PKP as a much-welcomed extra security layer that site operators could deploy to assist HTTPS.

In reality, PKP was hard to deploy, and any error in setting it up would result in catastrophic scenarios where users downloaded wrong keys, or the site had a different certificate, completely blocking users from accessing URLs for hours, days, or even months. For sites that relied on ad traffic to pay server bills and couldn't lose even the tiniest bit of traffic, PKP became a real problem, and most webmasters stayed away.

Furthermore, there was also a theoretical scenario where an attacker could use PKP to hijack a site's visitors by issuing his own PKP keys that would stop working after his breach was discovered and the server cleaned. Code for such attacks is available on GitHub.

These were one of the main causes why PKP was never adopted. A Neustar survey from March 2016 had PKP deployment at only 0.09% of all HTTPS sites. By August 2017, that needle had barely moved to 0.4% of all sites in the Alexa Top 1 Million.

Google plans to remove PKP in Chrome 67 (May 2018)

According to Google engineer Chris Palmer, low adoption and technical difficulties is also the reason why Google plans to remove the feature from Chrome.

"We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018," Palmer says. The proposal is up in the air, and users can submit opinions against Google's intent to deprecate, but seeing how little PKP was adopted, it's most likely already out the door.