Public Key Pinning Attack?



  • I'm somewhat knowledgeable in the concept of Public Key Pinning (HPKP) and I see a potential attack where a server admin could pin a particular cert and thus demanding user's browsers to only honour that particular certificate.

    However, if the admin wanted sabotage a company / website and several months before they left pinned a certificate for the max duration, and then change the cert on their last day, changed the cert, many users would then have the wrong cert pinned, many may not know how to fix it, and may not contact the company causing a business disruption.

    My question is, how does a browser handle the pinning? Does clearing the cache remove the pin? What error does the user see on the screen? Is is simply a warning similar to the "self-signed cert" warning?



  • My question is, how does a browser handle the pinning?

    Simply: they don't support HPKP any longer for exactly this kind of problems. See Compatibility Table for this feature.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2