{"id":545,"date":"2019-08-16T18:33:28","date_gmt":"2019-08-16T18:33:28","guid":{"rendered":"https:\/\/cheapsslsecurity.com\/p\/?p=545"},"modified":"2019-08-20T10:21:54","modified_gmt":"2019-08-20T10:21:54","slug":"what-is-http-public-key-pinning-and-why-its-not-good","status":"publish","type":"post","link":"https:\/\/cheapsslsecurity.com\/p\/what-is-http-public-key-pinning-and-why-its-not-good\/","title":{"rendered":"What is HTTP Public Key Pinning and Why It’s Not Good to Practice"},"content":{"rendered":"

In the annals of bad human ideas, HTTP public key pinning, or what\u2019s more commonly known as HPKP, ranks right up there with spray-on hair and two-in-one toilet\/bidets. Without straying too far into the proverbial weeds, we\u2019re going to lay out why you definitely shouldn\u2019t be pinning your keys in this blog post.<\/p>\n

And to be clear \u2014 just in case you don\u2019t read past this sentence \u2014<\/strong> don\u2019t pin your keys<\/strong>. Simply put, HPKP is a terrible<\/em> idea, and it\u2019s more likely to break your website than lead to any meaningful improvement in security! Even Google agrees<\/a>.<\/p>\n

<\/p>\n

What is HTTP Public Key Pinning?<\/h2>\n

Generally, when a client arrives at a server, it will use the public key associated with the certificate(s) it\u2019s presented with. This generally means the end-user or leaf certificates and any intermediates involved in the certificate chain. But what if you wanted visitors to your website to use a specific key with those certificates instead of just whichever one is presented to them?<\/p>\n

Enter http public key pinning, HPKP, or whatever you\u2019d prefer to call it. This allows you to \u201cpin\u201d the keys of your choice in an HTTP header for use with your website\u2019s certificates. In sophisticated enterprise environments, there\u2019s a place for this kind of HTTP public key pinning header configuration. For 99.9% of websites, though, this just adds a needless layer of complexity that doubles as a ticking time bomb.<\/p>\n

What Can Go Wrong with HPKP?<\/h2>\n

In a single word? Everything. If you don\u2019t know what you\u2019re doing, that is.<\/p>\n

With a standard configuration, any time key rotation is performed, you simply update the certificate that server handles the deliver of the public key. HPKP removes this convenience and replaces it with an onerous requirement to unpin and re-pin keys until you\u2019ve configured it to your liking. Again, good if you know what you\u2019re doing. Bad if you just want things to work.<\/p>\n

Inevitably, someone will forget to pin a rotate key \u2014 or unpin one \u2014 and it\u2019s going to cause SSL errors that will prevent visitors from reaching your website. Look, we don\u2019t need to tell you how bad having your site break would be. You know, the whole \u201ccostly downtime, lost service, dissatisfied customers, and damaged reputation\u201d thing. We\u2019ve written about some of the errors that can result from the practice of key pinning.<\/a><\/p>\n

Suffice it to say, key pinning is an open invitation to these problems.<\/p>\n

How Do I Avoid HPKP Problems?<\/h2>\n

Abstinence. Do not pin your keys \u2014 period. Everything will still work perfectly fine without pinning your keys. In fact, they\u2019ll work better. Not pinning keys makes rotating keys and swapping certificates substantially easier.<\/p>\n

So, long story short: avoid certificate and public key pinning.<\/p>\n

\n

Purchase Sectigo SSL Certificates & Save Up to 84%<\/h2>\n

We offer the best discount on all types of Sectigo SSL Certificates. It includes Sectigo Wildcard SSL, EV SSL, Multi-Domain SAN\/UCC SSL, and Code Signing Certificates.<\/p>\n

Shop Sectigo SSL Certificates and Save Up to 84%<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

In the annals of bad human ideas, HTTP public key pinning, or what\u2019s more commonly known as HPKP, ranks right up there with spray-on hair and two-in-one toilet\/bidets. Without straying too far into the proverbial weeds, we\u2019re going to lay … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[37,38,39],"class_list":["post-545","post","type-post","status-publish","format-standard","hentry","category-ssl-advanced","tag-htkp","tag-key-pinning","tag-public-key"],"yoast_head":"\nWhat is HTTP Public Key Pinning and Why It's Not Good to Practice<\/title>\n<meta name=\"description\" content=\"There's a time & place for everything. HTTP public key pinning is rarely one of them. Here's what to know about SSL certificates and public key pinning.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cheapsslsecurity.com\/p\/what-is-http-public-key-pinning-and-why-its-not-good\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What is HTTP Public Key Pinning and Why It's Not Good to Practice\" \/>\n<meta property=\"og:description\" content=\"There's a time & place for everything. HTTP public key pinning is rarely one of them. Here's what to know about SSL certificates and public key pinning.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cheapsslsecurity.com\/p\/what-is-http-public-key-pinning-and-why-its-not-good\/\" \/>\n<meta property=\"og:site_name\" content=\"Cheap SSL Security\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/CheapSSLSecurities\" \/>\n<meta property=\"article:published_time\" content=\"2019-08-16T18:33:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-08-20T10:21:54+00:00\" \/>\n<meta name=\"author\" content=\"casey.crane\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@sslsecurity\" \/>\n<meta name=\"twitter:site\" content=\"@sslsecurity\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"casey.crane\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/what-is-http-public-key-pinning-and-why-its-not-good\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/what-is-http-public-key-pinning-and-why-its-not-good\\\/\"},\"author\":{\"name\":\"casey.crane\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/#\\\/schema\\\/person\\\/d9c1744bb0931c1942814061a5aca108\"},\"headline\":\"What is HTTP Public Key Pinning and Why It’s Not Good to Practice\",\"datePublished\":\"2019-08-16T18:33:28+00:00\",\"dateModified\":\"2019-08-20T10:21:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/what-is-http-public-key-pinning-and-why-its-not-good\\\/\"},\"wordCount\":528,\"keywords\":[\"HTKP\",\"key pinning\",\"public key\"],\"articleSection\":[\"SSL Advanced\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/what-is-http-public-key-pinning-and-why-its-not-good\\\/\",\"url\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/what-is-http-public-key-pinning-and-why-its-not-good\\\/\",\"name\":\"What is HTTP Public Key Pinning and Why It's Not Good to Practice\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/#website\"},\"datePublished\":\"2019-08-16T18:33:28+00:00\",\"dateModified\":\"2019-08-20T10:21:54+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/#\\\/schema\\\/person\\\/d9c1744bb0931c1942814061a5aca108\"},\"description\":\"There's a time & place for everything. HTTP public key pinning is rarely one of them. Here's what to know about SSL certificates and public key pinning.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/what-is-http-public-key-pinning-and-why-its-not-good\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/what-is-http-public-key-pinning-and-why-its-not-good\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/what-is-http-public-key-pinning-and-why-its-not-good\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"SSL Help\",\"item\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SSL Advanced\",\"item\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/ssl-advanced\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"What is HTTP Public Key Pinning and Why It’s Not Good to Practice\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/#website\",\"url\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/\",\"name\":\"Cheap SSL Security\",\"description\":\"Shop for SSL Certificates at Cheap Prices\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/p\\\/#\\\/schema\\\/person\\\/d9c1744bb0931c1942814061a5aca108\",\"name\":\"casey.crane\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c18d819d34a1995e91a4aa7518e9048df7856f336a1ede2262a572db7b1c2506?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c18d819d34a1995e91a4aa7518e9048df7856f336a1ede2262a572db7b1c2506?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c18d819d34a1995e91a4aa7518e9048df7856f336a1ede2262a572db7b1c2506?s=96&d=mm&r=g\",\"caption\":\"casey.crane\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What is HTTP Public Key Pinning and Why It's Not Good to Practice","description":"There's a time & place for everything. HTTP public key pinning is rarely one of them. Here's what to know about SSL certificates and public key pinning.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cheapsslsecurity.com\/p\/what-is-http-public-key-pinning-and-why-its-not-good\/","og_locale":"en_US","og_type":"article","og_title":"What is HTTP Public Key Pinning and Why It's Not Good to Practice","og_description":"There's a time & place for everything. HTTP public key pinning is rarely one of them. Here's what to know about SSL certificates and public key pinning.","og_url":"https:\/\/cheapsslsecurity.com\/p\/what-is-http-public-key-pinning-and-why-its-not-good\/","og_site_name":"Cheap SSL Security","article_publisher":"https:\/\/www.facebook.com\/CheapSSLSecurities","article_published_time":"2019-08-16T18:33:28+00:00","article_modified_time":"2019-08-20T10:21:54+00:00","author":"casey.crane","twitter_card":"summary_large_image","twitter_creator":"@sslsecurity","twitter_site":"@sslsecurity","twitter_misc":{"Written by":"casey.crane","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cheapsslsecurity.com\/p\/what-is-http-public-key-pinning-and-why-its-not-good\/#article","isPartOf":{"@id":"https:\/\/cheapsslsecurity.com\/p\/what-is-http-public-key-pinning-and-why-its-not-good\/"},"author":{"name":"casey.crane","@id":"https:\/\/cheapsslsecurity.com\/p\/#\/schema\/person\/d9c1744bb0931c1942814061a5aca108"},"headline":"What is HTTP Public Key Pinning and Why It’s Not Good to Practice","datePublished":"2019-08-16T18:33:28+00:00","dateModified":"2019-08-20T10:21:54+00:00","mainEntityOfPage":{"@id":"https:\/\/cheapsslsecurity.com\/p\/what-is-http-public-key-pinning-and-why-its-not-good\/"},"wordCount":528,"keywords":["HTKP","key pinning","public key"],"articleSection":["SSL Advanced"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/cheapsslsecurity.com\/p\/what-is-http-public-key-pinning-and-why-its-not-good\/","url":"https:\/\/cheapsslsecurity.com\/p\/what-is-http-public-key-pinning-and-why-its-not-good\/","name":"What is HTTP Public Key Pinning and Why It's Not Good to Practice","isPartOf":{"@id":"https:\/\/cheapsslsecurity.com\/p\/#website"},"datePublished":"2019-08-16T18:33:28+00:00","dateModified":"2019-08-20T10:21:54+00:00","author":{"@id":"https:\/\/cheapsslsecurity.com\/p\/#\/schema\/person\/d9c1744bb0931c1942814061a5aca108"},"description":"There's a time & place for everything. HTTP public key pinning is rarely one of them. Here's what to know about SSL certificates and public key pinning.","breadcrumb":{"@id":"https:\/\/cheapsslsecurity.com\/p\/what-is-http-public-key-pinning-and-why-its-not-good\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cheapsslsecurity.com\/p\/what-is-http-public-key-pinning-and-why-its-not-good\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/cheapsslsecurity.com\/p\/what-is-http-public-key-pinning-and-why-its-not-good\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"SSL Help","item":"https:\/\/cheapsslsecurity.com\/p\/"},{"@type":"ListItem","position":2,"name":"SSL Advanced","item":"https:\/\/cheapsslsecurity.com\/p\/ssl-advanced\/"},{"@type":"ListItem","position":3,"name":"What is HTTP Public Key Pinning and Why It’s Not Good to Practice"}]},{"@type":"WebSite","@id":"https:\/\/cheapsslsecurity.com\/p\/#website","url":"https:\/\/cheapsslsecurity.com\/p\/","name":"Cheap SSL Security","description":"Shop for SSL Certificates at Cheap Prices","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cheapsslsecurity.com\/p\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/cheapsslsecurity.com\/p\/#\/schema\/person\/d9c1744bb0931c1942814061a5aca108","name":"casey.crane","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/c18d819d34a1995e91a4aa7518e9048df7856f336a1ede2262a572db7b1c2506?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/c18d819d34a1995e91a4aa7518e9048df7856f336a1ede2262a572db7b1c2506?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c18d819d34a1995e91a4aa7518e9048df7856f336a1ede2262a572db7b1c2506?s=96&d=mm&r=g","caption":"casey.crane"}}]}},"_links":{"self":[{"href":"https:\/\/cheapsslsecurity.com\/p\/wp-json\/wp\/v2\/posts\/545","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cheapsslsecurity.com\/p\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cheapsslsecurity.com\/p\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cheapsslsecurity.com\/p\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cheapsslsecurity.com\/p\/wp-json\/wp\/v2\/comments?post=545"}],"version-history":[{"count":0,"href":"https:\/\/cheapsslsecurity.com\/p\/wp-json\/wp\/v2\/posts\/545\/revisions"}],"wp:attachment":[{"href":"https:\/\/cheapsslsecurity.com\/p\/wp-json\/wp\/v2\/media?parent=545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cheapsslsecurity.com\/p\/wp-json\/wp\/v2\/categories?post=545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cheapsslsecurity.com\/p\/wp-json\/wp\/v2\/tags?post=545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}