Remove HTTP-Based Public Key Pinning (removed)

HTTP-Based Public Key Pinning (HPKP) was intended to allow websites to send an HTTP header that pins one or more of the public keys present in the site's certificate chain. It has very low adoption, and although it provides security against certificate misissuance, it also creates risks of denial of service and hostile pinning. See https://groups.google.com/a/chromium.org/d/msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ for details.

Specification

Established standard

Status in Chromium

Security


Removed (tracking bug) in:

  • Chrome for desktop release 72
  • Chrome for Android release 72

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No public signals
  • No public signals
  • No public signals
  • Mixed signals

Owners

Last updated on 2018-10-26