Remove HTTP-Based Public Key Pinning - Chrome Platform Status

Remove HTTP-Based Public Key Pinning (removed)

HTTP-Based Public Key Pinning (HPKP) was intended to allow websites to send an HTTP header that pins one or more of the public keys present in the site's certificate chain. It has very low adoption, and although it provides security against certificate misissuance, it also creates risks of denial of service and hostile pinning. See https://groups.google.com/a/chromium.org/d/msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ for details.

Specification

Established standard

Status in Chromium

Blink components: Security

Removed (tracking bug) in:

Chrome for desktop release 72
Chrome for Android release 72

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: No public signals
Edge: No public signals
Safari: No public signals
Web Developers: Mixed signals

Owners

palmer@chromium.org
estark@chromium.org
rsleevi@chromium.org

Last updated on 2018-10-26