+1-888-690-2424

Public Key Pinning

Bruce Morton

In the wake of the Comodo attack, the Internet industry is looking for ways to mitigate similar attacks in the future. Public key pinning may prove to be effective.

Google has developed the public key pinning concept that will debut in Chrome version 13 for most Google Internet properties (e.g., https://www.google.com).

Public key pinning means that a certification authority public key will be white-listed in the browser for a specific domain or set of domains. The white-listed public key is referred to as an HTTPS pin. If the pin is not present when browsing a protected website, then an error will occur in the browser and the requested page will not be presented.

The idea is that Google knows who it has authorized to issue its SSL certificates. If a certificate is found to be issued by another CA – even a legitimate publicly trusted CA – then the certificate will not be trusted. The result is that an unsuspecting browsing party will not be compromised with the help of a fraudulent SSL certificate.

Potential incompatibility issues with corporate man-in-the-middle (MITM) proxies, parental controls and debugging tools have been addressed by allowing user-installed CA certificates to override the pins.

Google appears to be open to offering pinning to other large, high-security websites. For others, the expectation is that pinning will be available through HTTP Strict Transport Security (HSTS). We’ll have to wait and see if other browsers will support Public Key Pinning as well.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

0 Comments

Add to the Conversation