HTTP Public Key Pinning – Do or don’t?

I have been in discussions with several security professional who have told me that HTTP Public Key Pinning (HPKP) is an industry standard and by not enabling it, an organization could be at serious risk. My point has always been that HPKP has the potential to cause serious issues, including a self-inflicted DoS (denial of service), very easily.

Essentially, HPKP lets an organization specify the exact public keys that browsers can accept for that site for a specified period of time. While I like the concept, I have been very afraid of the damage an organization can inflict on itself if they get the implementation wrong. And it is very easy to get the implementation wrong.

All you have to do is set the pin for a very long duration, say, more than the certificate’s expiry date. Your site will effectively be inaccessible after the expiry date until the pin itself expires. If lose the pinned keys, due to compromise, accidental deletion, etc, the site will be inaccessible until the pin expires.

Let’s say the CA that you got the keys/certs from is being replaced with a new vendor or the CA was compromised and you want to replace the keys, you are out of luck until the pin expires. If an attacker takes over your site, either hijacking your domain or by breaching your network and gaining control of your server, and sets a HPKP header with a very long duration, your site is done for. Even if you regained control of your server, there is no way to undo the HPKP pin.

The primary issues with HPKP is that once you pin a key, you are struck to the key till the pin expires. If anything happens in between to require a replacement key, you don’t have any options. There is no mechanism to recover from any mistakes or unforeseen circumstances. That is the reason I believe the risks outweigh the security benefits of HPKP.

I do like Ivan Ristic’s suggestion that the pin should break automatically if the key expires or the key itself is revoked. I would be a lot more comfortable implementing HPKP if that option to recover is available. Until then, my recommendation would be to stay away from HPKP, unless you know exactly what you are doing, especially if you are running mission critical applications.